For the past several days the cyberworld has focused on the May 7 ransomware attack on Colonial Pipeline that shut down the largest refined products pipeline system in the U.S.
There’s a lot of evidence that the DarkSide group, confirmed by the FBI as responsible for the attack, has Russian connections. One of the clues: their malware deactivates if it finds itself on a computer with the default language set to Russian. It’s a common tactic, as hacking groups tend to operate on a spectrum from tacit approval to active support from the Russian government on the agreement that they do not conduct activities inside Russia or Russian-aligned countries. In practice, it's often hard to draw a bright line between formal GRU activities and other Russian hacker groups, as the efforts of both are typically welcomed by Vladimir Putin.
DarkSide may have overreached on this per their public statement claiming that the group's aims were economic rather than political. True or not, the intense focus on a Russian attack that has real economic consequences in the U.S. was probably not the Kremlin’s goal. Historically, the DarkSide group has conducted two-pronged ransomware attacks against victims with deep pockets – they both steal data and encrypt it. They’ll offer to unlock encrypted data for ransom, and if the ransom isn’t met they’ll release data or information about the attack to competitors or unscrupulous stock traders who can short the victims’ stock before the breach becomes public.
There have been well-publicized cyberattacks against critical infrastructure before, from the attacks Russia launched against Georgia in 2008 to Stuxnet and the recent attack against the water treatment facility in Oldsmar, Fla. Ransomware attacks are nothing new, having been a staple of security headlines for at least half a decade. But many of the previous attacks were attacks against industrial control systems where the attackers went in with a specific plan to disable those operational technology (OT) systems and often used specific tools for doing so. By contrast, the Colonial attack looks like a traditional ransomware attack directed against mainstream IT systems, but it had the downstream effect of forcing Colonial to turn off its pipeline systems. Industrial control systems are often distributed and unmanned, so the cost appeal of enabling remote, networked administration is high. As IT and traditionally standalone OT systems become increasingly comingled, it becomes critical to take a holistic approach to protecting the entire realm of an organization’s digital assets rather than treating them as separate, independent entities – or assuming that OT is somehow “safe” because it’s in some way dissimilar.
Why the Colonial attack is different
As Colonial Pipeline learned the hard way, it’s no longer appropriate to think of OT systems as isolated, secure via obscurity, or unlinked from IT systems. Careful control of all network access points, network segmentation, and comprehensive network visibility with appropriate IT- and OT-monitoring tools can’t be delayed.
Over the past few years many IT organizations have embraced “hack yourself” approaches such as red teaming, penetration testing, and breach and attack simulation, but the scope of these exercises was often restricted to corporate email, web, and other mainstream systems. SOC teams are often staffed and equipped to monitor attacks against those systems. We must now expand our security efforts to include not only OT-specific visibility tools, but also friendly hacking attempts at the OT systems themselves, as well as thorough examination and testing of the connections between the two to guard against lateral movement and cross-contamination.
The principle of “zero trust” certainly applies here. If a hacker obtains a user’s credentials via a phishing campaign originally targeting economic or intellectual property theft, do those same credentials also enable access to critical OT systems? The effects of an IT attack on the Colonial Pipeline are headline news because of the disruption of the energy sector, but any company with a manufacturing production line could just have easily been the victim.
When will people wake up? In reality, probably never, at least on their own. Here’s a great example of where public and private partnerships make sense. CISA, the FBI, and other government agencies tend to take hacks which impact national security and critical infrastructure seriously, and they get a lot of press. Hopefully this event will alert those who manage industrial systems to start embracing security with the same urgency as the more mature IT camp.