Cyber attack on Colonial Pipeline’s systems

Guest post from the ICS cyber security blog:
Colonial Pipeline’s systems under cyber attack

May 08, 2021 – icscybersec

Several news sources have reported today that a cyber attack hit the systems of the US company Colonial Pipeline (which transports nearly half a million litres of fuel per day through its pipelines) on Friday. The attack (a ransomware attack, so far) affected “some of their IT systems” and “as a precautionary measure, they have temporarily shut down certain systems, including some systems involved in the operation of the pipelines.”

Further details are not yet available, but it was clear last year that there is no industry that is not being targeted by ransomware – how prepared are Hungarian companies for such threats?

Editor (10.05.2021). Such a decision, in my view, requires very strong financial risk analysis skills, as one has to balance one risk (the financial loss from shutting down the entire pipeline) against another risk (the financial loss from delivering fuel without a functioning trading system). Incidentally, according to my source, this is not the first such cyber security incident involving pipeline network IT/OT systems.

At the same time, Robert M. Lee, who has been quoted quite a few times on this blog, has also spoken out about the incident, posting the following on Twitter (I don’t usually quote English sources at length on the blog, but there are several things in this thread that could and should be written about in a bit more detail in the coming weeks – I hope to have time, but if anyone has an opinion on this or any other part of this, feel free to do so, even in the comments, it could start an interesting conversation):

“In my opinion there’s some bad takes out there but overall it’s completely reasonable that folk are paying attention. This is the most disruptive incident we’ve seen on US energy infrastructure from cyber instrusions. Colonial Pipeline is the victim and has done a lot right. They contacted a top tier incident response firm (FireEye/Mandiant) for the enterprise compromise (only IT impacted it seems) to lead the response. They informed the USG [US Government – ed.] who had great folks form CISA/FBI/DOE supporting. They focused on safety and took operations down proactively.

Congress and others will reasonably ask: “If a criminal can do this, what more could a state adversary do?” While we should avoid hype this is a very reasonable question. The reality is our infrastructure is undergoing a rapid digital transformation. While the ransomware was confined to IT this could have been much worse if it had hit OT and at Dragos we have handled such cases and they candidly suck. As our industries change the historical mindset of “segment and disconnect OT” just isn’t practical in most cases. 75+% of many of the standards/regulations/frameworks/etc. push for preventive controls (segmentation, authentication, anti-malware, patching, etc.) all good controls but that leaves an under investment in detection and response. As our infrastructure changes, so will our threats.

What we see most commonly is without visibility and monitoring in OT networks the preventive controls are not applied everywhere and atrophy over time unkowningly to the defenders. Many realise this though. The current White House administration has rightfully pushed for a 100 day action plan to encourage visibility, detection, and response enchancements in OT in the electricity sector and likely following suit in water and natural gas to raise awareness.

To the practitioners out there thinking about their OT networks I would encourage engaging firms with OT/ICS incident response experience. Conduct a TTX to reherse. Use burn down to do an Architecture Review of what you have today and it’s state. Then move into monitoring in OT. For the executives out there realize your IT and Security staff are usually already under invested in. Picking up a whole new mission set with focus (OT) requires additional resources. Elevate the conversation in your org and invest in your people to enable your business.”

Edit2: The news continues to flow, I just came across posts about the Waterfall and Dragos incidents as interesting sources and an interesting article from a domestic aviation site, AirPortal.hu, which says that the temporary pipeline shutdown of the Colonial Pipeline will have a serious impact on the kerosene supply to airports in some southern and eastern US states after only 2-3 days.

One more interesting fact: While searching for the link to the Dragos blog post, I found another of their papers from early 2020, where they write about a ransomware attack against another pipeline company used to transport natural gas (which escaped my attention at the time). So my source was absolutely right when he said this was not the first time a company operating pipelines used in the US energy sector had been hit by a ransomware attack.

***

The original guest post was published on the ICS cyber security blog.

Translated by DeepL.