Colonial Pipeline Ransomware Attack Shows Companies Must Play Offense, Not Just Defense, with Cybersecurity

Colonial Pipeline Company said a ransomware attack is behind a multi-day petroleum pipeline shutdown that highlights how cybersecurity attacks can harm U.S. critical infrastructure and impact consumers, this time at the gas pump.

"The whole value from a ransomware standpoint is the more data they can encrypt, the more money they can ask for as ransom."

Scott Christensen, GrayMatter Cyber Practice Director

Unfortunately, that makes U.S. energy providers, manufacturers and water/wastewater municipalities prime targets for cybercriminals and state actors that use cybercrime to finance their operations in eastern Europe or Asia.

About Colonial Pipeline

Colonial Pipeline transports 2.5 million barrels of refined petroleum products a day from Gulf Coast refineries, making it the largest such operation in the U.S. The longer the pipeline operation disruption lasts, the more likely it is that consumers will see gasoline prices increase because of the unexpected scarcity.

The Attack

Little is known about how the ransomware attack gained access to Colonial’s system, but it can sometimes happen when an employee clicks a malicious phishing link in an email or an employee or contractor uses a tainted USB flash drive. The Russian hacking group DarkSide has claimed responsibility for the attack.

“There are so many different attack vectors, and that can make it difficult,” Christensen said. “In the industrial world we rely on a lot of legacy technology because it’s just not practical to update, so without the updates, you’re leaving yourself open to exposure points — not just current ones but even ones that have been around for 10 or 15 years.”

“You start to put these controls in place, and if you follow the Department of Homeland Security NIST framework, you start moving through a cybersecurity maturity model,” Christensen said. “You start with: Have I identified my risks? If I’ve identified them, do I have protections in place? Am I detecting threats as they happen, rather than reacting to them? Do I have an incidence response and recovery plan?

“Organizations need to have a plan in place to know what to do if they get attacked,” he said.

Three Ways to Improve Cybersecurity Protections

1. Deception Technology

Deception tech, like GrayMatter’s solution GrayMatterGUARD, can contain ransomware threats regardless of the source, alert operators to anomalous outbound network traffic and block ransomware’s ability to communicate back to its source.

2. Network Segmentation

Controls can prevent each network user from having a clear-shot view of other, more sensitive or operations-facing parts of the network, which means that if an employee click a malicious link, it’s contained.

3. Encrypted Traffic

Deploying Host Identity Protocols (HIP) allows companies to encrypt traffic end-to-end and requires another level of peer authentication.

Contact GrayMatter to schedule a cybersecurity briefing or assessment, or check out GrayMatterGuard.

“The more data they can encrypt, the more money they can ask for as ransom”

Deception technology, in particular, is a method many organizations with operational technology are using to move from a defensive posture to an offensive one, Christensen said. Deception tech can stop threats at the network perimeter by using decoys made to look like genuine network assets. Instead of affecting high-value systems, an attack wastes time on a fake asset that alerts network administrators of a problem early in the so-called cyber kill chain.

Part of the difference is also in the mindset and realizing that, sadly, ransomware attacks are inevitable, but the outcome isn’t.

Colonial’s high-profile incident isn’t unique.

Dozens of U.S. cities have fallen victim to ransomware attacks during a surge in the past 2.5 years. Many such attacks, especially those involving private companies, are never disclosed.

In February, a water utility in Oldsmar, Fla., was hit with a cybersecurity attack that exploited a remote desktop vulnerability and is thought to have allowed an intruder to attempt to increase the amount of a chemical used in drinking water to a danger level. The attack was thwarted by an alert operator.

In a trio of statements posted to its website, Colonial said it proactively shut down its operations as a precaution on May 8 once it learned that it was the victim of a ransomware attack, and engaged with a third-party cybersecurity vendor.

On May 10, Colonial said the interruption could last a week.

“You need to work with a partner who has seen these kinds of things and can help you develop a plan for what to do and how to do it.” Christensen said. “Remediating an attack like this is a massive cost exercise, but it’s much easier and less costly to prevent.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

GrayMatter Digital Plus Program

GrayMatter Acquires Premier Systems Integration Firm, E-Merge Systems