“The whole value from a ransomware standpoint is the more data they can encrypt, the more money they can ask for as ransom.”
Scott Christensen, GrayMatter Cybersecurity Practice Director
Unfortunately, that makes U.S. energy providers, manufacturers and water/wastewater municipalities prime targets for cybercriminals and state actors that use cybercrime to finance their operations in eastern Europe or Asia.
Colonial Pipeline transports 2.5 million barrels of refined petroleum products a day from Gulf Coast refineries, making it the largest such operation in the U.S. The longer the pipeline operation disruption lasts, the more likely it is that consumers will see gasoline prices increase because of the unexpected scarcity.
Little is known about how the ransomware attack gained access to Colonial’s system, but it can sometimes happen when an employee clicks a malicious phishing link in an email or an employee or contractor uses a tainted USB flash drive. The Russian hacking group DarkSide has claimed responsibility for the attack.
“There are so many different attack vectors, and that can make it difficult,” Christensen said. “In the industrial world we rely on a lot of legacy technology because it’s just not practical to update, so without the updates, you’re leaving yourself open to exposure points — not just current ones but even ones that have been around for 10 or 15 years.”
“You start to put these controls in place, and if you follow the Department of Homeland Security NIST framework, you start moving through a cybersecurity maturity model,” Christensen said. “You start with: Have I identified my risks? If I’ve identified them, do I have protections in place? Am I detecting threats as they happen, rather than reacting to them? Do I have an incidence response and recovery plan?
“Organizations need to have a plan in place to know what to do if they get attacked,” he said.
1. Deception Technology
Deception tech, like GrayMatter’s deceptionGUARD, can contain ransomware threats regardless of the source, alert operators to anomalous outbound network traffic and block ransomware’s ability to communicate back to its source.
2. Network Segmentation
Controls can prevent each network user from having a clear-shot view of other, more sensitive or operations-facing parts of the network, which means that if an employee click a malicious link, it’s contained.
3. Encrypted Traffic
Deploying Host Identity Protocols (HIP) allows companies to encrypt traffic end-to-end and requires another level of peer authentication.
Contact GrayMatter to schedule a cybersecurity briefing or assessment, or check out our deception tech solution, deceptionGUARD and its main features.SCHEDULE A BRIEFING
Deception technology, in particular, is a method many organizations with operational technology are using to move from a defensive posture to an offensive one, Christensen said. Deception tech can stop threats at the network perimeter by using decoys made to look like genuine network assets. Instead of affecting high-value systems, an attack wastes time on a fake asset that alerts network administrators of a problem early in the so-called cyber kill chain.
Part of the difference is also in the mindset and realizing that, sadly, ransomware attacks are inevitable, but the outcome isn’t.
Colonial’s high-profile incident isn’t unique.
Dozens of U.S. cities have fallen victim to ransomware attacks during a surge in the past 2.5 years. Many such attacks, especially those involving private companies, are never disclosed.
In February, a water utility in Oldsmar, Fla., was hit with a cybersecurity attack that exploited a remote desktop vulnerability and is thought to have allowed an intruder to attempt to increase the amount of a chemical used in drinking water to a danger level. The attack was thwarted by an alert operator.
In a trio of statements posted to its website, Colonial said it proactively shut down its operations as a precaution on May 8 once it learned that it was the victim of a ransomware attack, and engaged with a third-party cybersecurity vendor.
On May 10, Colonial said the interruption could last a week.
“You need to work with a partner who has seen these kinds of things and can help you develop a plan for what to do and how to do it.” Christensen said. “Remediating an attack like this is a massive cost exercise, but it’s much easier and less costly to prevent.
|cookielawinfo-checbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|