Ransomware

What we’ve learned from the Colonial Pipeline cyberattack, and what to do about it

SC StaffMay 13, 2021
Today’s columnist, Grant Geyer of Claroty, offers some actionable advice in the wake of the Colonial Pipeline cyberattack. OrbitalJoe CreativeCommons CC BY-NC-ND 2.0
  • The emergence of targeted ransomware. While we don’t know exactly how DarkSide introduced ransomware into Colonial Pipeline’s IT network, we do know that DarkSide targets specific high-value companies. Once an infection occurs, improper segmentation between IT and OT environments enables OT ransomware infections. By isolating and segmenting OT, organizations can stop the lateral spread of ransomware.
  • Technological obsolescence. The number of attacks against critical infrastructure has been increasing in frequency and severity. As cybercriminals seek opportunities for extortion, our reliance on emerging technology makes our critical infrastructure highly vulnerable based on its enormous attack surface area. Many ICS environments operate with obsolete technology that’s patched infrequently if at all. This leads to a situation where cybersecurity risk levels are below acceptable tolerances. Thus, updating technology and improving governance can go a long way in mitigating risk.
  • The need to secure distributed environments. Pipelines are highly distributed environments and the tools used to grant asset operators remote connectivity are optimized for easy access, rather than security. This gives attackers opportunities to sneak through cyber defenses, as we saw in the Oldsmar attack.
  • Energy companies are especially at risk.  Claroty researchers have found that energy companies are one of the most highly impacted by ICS vulnerabilities. The energy sector experienced a 74% increase in ICS vulnerabilities disclosed during the second half of 2020 compared to second half 2018. This shows that cybercriminals have many ways of exploiting the controls of industrial networks.
  • Patch all systems or maintain compensating controls. While patching systems in OT environments requires maintenance windows, attackers are most commonly targeting obsolete or unpatched Windows systems. If it’s not possible to patch, ensure there are compensating controls (e.g. firewall rules, ACLs) in place to reduce the inherent risk.
  • Implement strong authentication for all OT users. Despite the sensitivity of OT environments, many organizations use single-factor user names and passwords to access assets. In some cases, they use shared passwords. Implement strong multifactor authentication to ensure that users are who they say they are and establish least privilege’ access for users.
  • Segment the network. Many OT environments were designed primarily for access and not for security, meaning they are “flat” and therefore would allow for a ransomware infection to propagate quickly. Implementing network segmentation would limit the scope and impact of a ransomware attack.
  • Conduct a tabletop exercise. Running a tabletop exercise can help various stakeholders understand organizational and technical preparedness for an event of this nature. Are the backup and restore capabilities in place? Are board members prepared to act? Does the company have cyber insurance in place to pay a ransom?