Colonial Pipeline attack embodies security risk to nation’s critical infrastructure

Security experts warned for years about attacks against critical infrastructure, but one analyst called this the most brazen yet.

Dive Brief:

• Colonial Pipeline, the largest refined products pipeline in the U.S. and a major supplier of gasoline and jet fuel to the East Coast and a number of southern states, shut down after a ransomware attack Friday, the company said in a statement Saturday.
• Colonial Pipeline retained FireEye/Mandiant to manage the investigation, according to a spokesperson from the cybersecurity company. DarkSide ransomware is responsible for the compromise, the FBI confirmed in a statement to Cybersecurity Dive Monday.
• By Sunday, the company restored some smaller, lateral lines between terminals and delivery points, but the main lines remained shut off. Colonial Pipeline is in the process of restoring service to other laterals, it is awaiting clearance from authorities.

Dive Insight:

The attack highlights the growing concerns among federal cybersecurity officials, members of Congress and industry researchers that the nation’s critical infrastructure is at risk of a crippling cybersecurity breach or malicious attack.

“Warning lights have been flashing for some time now, but this is the most brazen attack on critical infrastructure yet,” Katell Thielemann, research VP at Gartner, said via email. “It shows a complete lack of norms of engagement and fear of reprisal in the cyber domain, when criminal actors feel empowered to target critical assets that underpin the lives of millions.”

Government agencies ranging from the Department of Energy to the Transportation Security Administration have been working with the Cybersecurity and Infrastructure Security Agency to manage the response to this attack, which may have significant impacts on gasoline supply.

The Department of Transportation issued a temporary exemption on fuel transport that would allow greater flexibility to transport gasoline, jet fuel and related products to most of the eastern U.S. states.

“We are engaged with the company and our interagency partners regarding the situation,” Eric Goldstein, executive assistant director of the Cybersecurity Division at the Cybersecurity and Infrastructure Security Agency said in a statement. “This underscores the threat that ransomware poses to organizations regardless of size or sector.”

The American Petroleum Institute is closely monitoring the situation and said that cybersecurity is a top priority for the industry, according to Suzanne Lemieux, manager of operations security and emergency response policy at API.

DarkSide, the suspected actors behind the ransomware attack, are a relatively new organization that has engaged in double extortion methods. They encrypt data of the target, while also exfiltrating data threatening to make it public, according to Cybereason. While the method of attack has not been disclosed in this incident, Darkside has previously targeted domain controllers.

The energy sector has been particularly wary of cyber risk since a 2018 report highlighted the rising threats of malicious cyber activity against operational technology. The use of automation and connections between operational and information technology systems inside major companies added to the concerns.

“Most industrial environments, including oil pipelines, are no longer air gapped, which means they’re exposed to the outside world,” Marty Edwards, vice president of OT security at Tenable and the former director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said via email. “This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa.”

For example, the attack against the Oldsmar, Florida water treatment facility exploited an attack vector that was open to anyone on the internet, in that case a remote access software platform that was installed into the system, Edwards said.

“This is the sort of issue that concerns us in all these infrastructure systems that have undergone significant automation over the past two decades,” Mark Montgomery, senior fellow at the Foundation for Defense of Democracies and senior advisor to the Cyberspace Solarium Commission said via email. “If the cybersecurity effort does not keep pace, you can have vulnerabilities in your IT, or your OT, or both.”

CSC co-chairs Sen. Angus King, I-Maine, and Rep. Michael Gallagher, R-Wis., said they were disappointed, but not surprised by the Colonial Pipeline attack. The incident highlights the vulnerability of the nation’s critical infrastructure and underscores the need for more robust public-private collaboration to protect the pipeline system and the nation’s electric grid, they said.

“The systemically important critical infrastructure entities, and their most vital systems and assets, are pressure points in our grid, and targets for both nation state adversaries and criminal actors, allowing them to scale up the effects of cyber campaigns and the risk they can pose to the United States in peacetime and in crisis,” King and Gallagher said in a joint statement.