The ransomware attack against Colonial Pipeline that sent shockwaves throughout the U.S. economy and jacked up fuel prices across the country is a stark warning that ransomware and other cyberattacks continue to pose a significant threat our critical infrastructure.
Cybercriminals were emboldened in 2020 as organizations were dealt an increased attack surface with employees working from everywhere with a larger-than-ever dependency on technology to do their jobs. Ransomware was especially prevalent, with some reports suggesting that ransomware attacks increased by over 700%, according to a mid-year 2020 Bitdefender report.
If the IT professionals charged with securing our critical infrastructure haven’t already opened their eyes to this alarming trend, then they should now, says James Carder, chief security officer at cybersecurity firm LogRhythm, a seasoned IT security professional with more than two decades of experience working for Fortune 500 companies and U.S. agencies.
“Ransomware is an interesting one because it it’s not custom-built for certain industry verticals or certain companies sizes or whatever the case is,” Carder says. “There’s universal applicability.”
What happened to Colonial Pipeline and why it matters to you
Colonial Pipeline, the largest pipeline operator in the U.S. and one of the main suppliers of fuel to the East Coast, was hit on May 7 with ransomware from the ransomware-as-a-service group DarkSide, and the company’s systems were taken offline to prevent further intrusion. How the group initially gained access into the company’s network is still being investigated.
The company restored operations on May 13, but that came at a cost.
According to news reports, the company paid upwards of $5 million in ransom to the hacking group.
Just a few days later, DarkSide said its sever and cryptocurrency were seized by an unknown country, and the group said it would cease operations.
Other research indicates that DarkSide took in just over $90 million in Bitcoin ransom payments from 47 different wallets over just nine months – not a bad way to make a living.
While the debate about whether organizations should pay a ransom to have their data back safe and sound continues, the decision for Colonial was a hard – but necessary – one to make.
“There were significant downstream ramifications of this,” Carder says, adding that the entire U.S. economy could have been thrown into a downward spiral if a leading supplier of fuel to the East Coast couldn’t deliver.
A wake up call for infrastructure IT pros
According to Carder, attacks against critical infrastructure should be a wake-up call for the entire IT community, especially those tasked with protecting critical infrastructure like fuel and water.
“The main thing is just understanding that it could happen to anybody,” Carder says, citing the hack of a Florida city water treatment plant in which a malicious actor attempted to increase the level of a chemical that could have been harmful to thousands of residents.
Carder, who spent time working for cybersecurity company Mandiant investigating attacks against critical infrastructure and utility organizations, says attacks against those industries is more common than we think.
As technology catches up and more IT is introduced to the operational technology (OT) side of the equation, cybersecurity tends to fall by the wayside. Historically, critical infrastructure control systems and OT components have been “air gapped,” meaning it is isolated from unsecured networks.
“We’re starting to see that all go away as IT injects more and more into the OT side,” Carder says.
Critical infrastructure is now littered with smart technology like sensors that are on the network and report data back to the operators, which is making these organizations vulnerable. And, operators want to be able to remotely manage those systems, which is leading to an increased use in remote management software.
“The attacks and attack vectors and what is being used aren’t novel or unique,” carder says. “A lot of the times, it’s just a repeat of the attacks that have been working on the IT side.”
Innovation can sometimes come at the expense of cybersecurity, the latter of which is typically a few years behind.
“We’ve learned all these lessons on the IT side and innovation on just general corporate systems and technology on that side, and we just need to apply a lot of that over into the OT,” Carder says. “That just hasn’t been done.”
At the very least, invest in basic cybersecurity protections
As IT continues to merge with OT, organizations need to invest in the same cybersecurity solutions and practices that they implement throughout the corporate network.
While its unknown how DarkSide first infiltrated Colonial’s network, many cybercriminals do so through unpatched systems or phishing attacks. And, they attack the lowest-hanging fruit and seize cybersecurity lapses.
In the case of the Florida water treatment plant hack, the system was running on an unsupported version of Windows, workers shared a password and they used a popular remote access program to control the plant.
“I think part of that would have prevented is just to have some basic controls and basic IT hygiene and making sure you’re patching systems and backing things up and doing all the normal things that you would expect on the IT side of things, but applying it to the OT side as well,” Carder says.