Business Lessons from the Colonial Pipeline Attack

  • According to IBM’s X-Force Threat Intelligence Index 2021 study, the energy sector fell from 9th position in 2019 to 3rd place in 2020 among the sectors most frequently confronted with cyberattacks.
  • In May 2021, the Colonial Pipeline was the target of a ransomware attack. It infected the pipeline’s digital systems, causing it to go offline for several days.
  • Colonial Pipeline paid DarkSide a ransom of $4.4 million (USD) for decryption keys to open their systems.

The Colonial Pipeline is one of the largest and most important oil pipelines in the United States. In May 2021, it was the target of a ransomware attack. It infected the pipeline’s digital systems, causing it to go offline for several days. Consumers and airlines on the East Coast were affected by the closure.

Because the pipeline carries oil from refineries to industrial markets, the intrusion has been declared a national security danger. Experts have confirmed that the attackers gained access to the Colonial Pipeline network through an insecure password for a VPN account.

Many businesses use a Virtual Private Network (VPN) to enable secure, encrypted remote access to their corporate network. So the risk is huge and deserves attention!

Lessons learned

1. The convergence of OT and IT networks creates additional risk.

Colonial’s decision to shut down its entire pipeline network – for the first time in its history – was based on a lack of knowledge about who was attacking, what their motives were, or how the attack could harm its technology infrastructure. operational (OT). The lack of a complete understanding of OT network operations and integrations has resulted in a problem that is considerably more serious than a “simple” compromise of back-office systems.

Maintaining separation between OT and information technology (IT) networks, unless absolutely necessary, and tightly controlling and monitoring them can help reduce risk.

2. A successful breach spawns more hacking attempts

The attack on the Colonial Pipeline had repercussions, as phishing attacks against other energy companies increased shortly after the incident. An effort sent a notice to Microsoft 365 subscribers ostensibly from their IT help desk, urging them to install a ransomware system update to escape the same fate as Colonial Pipeline.

Of course, the download was designed to infect target computers with malware. In other cases, spear phishing attacks and bot-filled “contact us” forms containing fake threats claiming to be from DarkSide have become more common, primarily targeting the energy and food sectors.

In many incidents, the alleged threat actor claims to have successfully penetrated the target’s network, gaining access to critical data that will be made public unless a ransom of 100 bitcoins is paid.

3. Successful Breaches Incur Various Costs

Colonial Pipeline is famous for paying DarkSide a $4.4 million (USD) ransom for decryption keys to open their systems.

Despite DarkSide expressing regret and FBI recovered 63.7 bitcoins out of 75 distributed, the threat actors got away with hundreds of thousands of dollars in extorted money.

But this is only the beginning. Colonial Pipeline had to rebuild its billing systems for weeks before it could start oil distribution billing again.

4. The Importance of System Monitoring

Before releasing their ransom demands, the hackers launched their attack in the early morning of May 7, exfiltrating 100 GB of data and encrypting back-office systems.

The first offense, however, is believed to have occurred on April 29 and more than a week earlier. This follows a common threat actor pattern of gaining access to the system and then performing stealth reconnaissance while building the base for a full-scale attack.

Security Information and Event Management (SIEM) solutions, when combined with threat intelligence, identification and monitoring, can help detect unusual activity that may indicate the early stages of a threat. aggression before the real problem begins.

5. The importance of IT governance

Not only was the breach made possible by this outdated but still functional section of the network, but access was also authorized by a single user ID/password combination, according to reports. Access to the IT infrastructure of the United States‘ the largest refined pipeline network does not need multi-factor authentication (MFA). Colonial shut down traditional VPN after the breach and added additional layers of security accordingly. The organization’s danger surface and the risk of a data breach would have been reduced in the first place if formal and established procedures for dismantling and shutting down access points, obsolete equipment and networks had been in place. MFA should be considered a basic need for remote access.

The danger to the oil and gas industry, as well as to the energy sector as a whole, is serious and growing. Threat actors vary from sophisticated government-sponsored attackers attempting to inflict societal and financial havoc to smaller hacktivist groups seeking to protest energy projects or advances.

According to IBM’s 2021 X-Force Threat Intelligence Index research, the energy industry rose from 9th place in 2019 to 3rd place in 2020 among the industries most frequently attacked by cyberattacks.

According to the analysis, the energy sector would experience the second highest data theft rate of any industry in 2020, accounting for more than a fifth of all breaches. It is therefore essential to seriously integrate these lessons!


About Author

Comments are closed.