Lessons from the Colonial Pipeline cyberattack

On Friday, “Colonial Pipeline Company” – who operates a pipeline that the company says transports approximately 45% of the East Coast’s fuel supplies, blamed a shutdown of the pipeline on a cyberattack against the company’s computer systems. A statement released by the company described the attack as a ransomware attack, which led the company to “proactively [take] certain systems offline to contain the threat”, and “temporarily halted all pipeline operations”. As of this morning, five days after the attack was first reported, the pipeline is still shut down – and it is not expected to return to its full capacity for another few days. Meanwhile, the shutdown has led to fuel shortages along the East Coast.

The attack against Colonial Pipeline serves as a reminder of how vulnerable critical infrastructures are to cyberattacks, and raises the question “if this is the level of cybersecurity protecting our ‘critical’ infrastructures, what kind of protection do ‘ordinary’ businesses and organizations have”? Unfortunately, the answer is often disappointing.

Ransomware attacks against corporate computer systems, like the one reported by Colonial Pipeline, where hackers gain access to a network and hold a company’s assets hostage while demanding a ransom, have become more frequent this past year – thanks in part to the transition to remote work. Ransomware attackers typically encrypt a business’s information to prevent access to it, or threaten to harm the company or its clients (often by releasing sensitive information) unless a ransom is paid. Industrial organizations and critical infrastructures face an additional threat of physical harm to machines and infrastructure – which could theoretically disrupt normal operations, or lead to potential oil spills or gas leaks and cause significant long-term damage.

Like many other types of cyberattacks, the initial breach method in most ransomware attacks relies on corporate email systems. Attackers will often send malicious email messages (an act known as “phishing”) to the company’s employees in an attempt to infect endpoints in the organizational network with malware. After gaining initial access to one or more endpoints, the attackers typically attempt to infect other devices by spreading out through the network as they attempt to reach their target(s). During this process of “lateral movement” through the network, compromised devices will typically be used as an attack platform against other devices or systems.

Critical infrastructure systems, like the one operated by Colonial Pipeline, generally aren’t accessible from the “outside world”, and are mostly configured in a way that should only allow access from “secure” internal organizational networks. Securing such systems relies on a defense-in-depth methodology, where system administrators protect important assets by surrounding them with multiple security layers. These overlapping security layers are designed to slow down attacks and improve the company’s chances of detecting attacks before they succeed in reaching their target. As such, cyberattacks targeting critical infrastructure systems will often target a company’s corporate computer systems, and then use them as a platform to attack industrial operation systems.

Whether or not the attackers who hacked Colonial Pipeline threatened to attack the pipeline itself, or even had the capability to do so, is unknown publicly at this point. Judging by the company’s actions and statements, it is clear that this is the type of scenario they are trying to avoid.

It is also clear that considerably more needs to be done to protect critical infrastructures against cyberattacks. With the shutdown expected to continue for at least a few more days, this incident gives us a glimpse of what can happen in a more severe case – and of what could have happened if the shutdown was a direct result of the attack instead of a “precautionary measure” taken by the company.

When hackers get the victim to do their dirty work

If the company’s claims that the current shutdown was not a direct result of the attack are to be believed (there is no reason not to at this point), then the fact that they preemptively shut down the pipeline to “monitor and protect [its] safety and security” also demonstrates a different kind of threat that is often ignored. One where the attackers – unable to reach their target directly – are able to manipulate their victim into causing self-inflicted harm and doing their “dirty work” for them.

It is important to note that without having all of the information related to this specific attack, there is no way to evaluate whether or not shutting down the pipeline was the right call. It is very likely that Colonial Pipeline did not have a better option given the circumstances, and the professionals responding to this attack are undoubtedly doing the best they can with what is usually a limited amount of information during the early stages of an attack.

That said, this attack makes it easy to imagine a scenario where a relatively simple attack (such as a ransomware attack against a corporate computer network) can cause panic and lead to an overreaction in the form of a precautionary shutdown that is equivalent to a denial-of-service attack at the national level. In other words, this is a vivid example of how attackers don’t necessarily need to reach their actual target and can leverage a much less significant attack to get their victim to do the work for them.

Many factors go into the decision of whether or not to shut down a major piece of infrastructure. They all boil down to one question: “will the probable outcome of not shutting down be worse than the cost of shutting down”? Answering this question depends on the perceived chance of the attack succeeding, and the expected cost of the potential damage. Ultimately, the decision to “cut your losses” by preemptively shutting down service is based on an organization’s level of trust – or, lack thereof –in its security operation’s ability to prevent the attack. An organization that lacks confidence in its defense mechanisms is more likely to choose the known costs of a preemptive shutdown over the costs of unknown potential damage.

Reducing the risks of future attacks

Reducing the risks of ransomware and other types of cyberattacks ultimately involves implementing a comprehensive cybersecurity program that combines technological, procedural, and physical security mechanisms. Once in place, it is important to continuously test and improve security through the use of penetration testing, attack simulations, and employee training.

Implementing a comprehensive cybersecurity program that is based on the organization’s unique circumstances and a current prioritized risk analysis is an important and cost-effective way to improve the organization’s readiness for cyberattacks. As a side benefit, knowing that an organization’s defenses have been repeatedly tested in a secure environment helps raise confidence in the program’s ability to do its job – making decision makers less likely to choose to shut down their services.

Based on nearly two decades of defending government agencies, critical infrastructures, and private businesses of all types and sizes, Cyfenders CISO services help design security mechanisms that combine aspects such as network segmentation, security monitoring, training, tabletop exercises and incident response plans, business continuity and disaster recovery plans (BCP and DRP).