Learnings from the Colonial Pipeline Ransomware Attack

Introduction

On May 8, a deadly ransomware attack on Colonial Pipeline had reportedly halted its operations. The company’s pipeline which runs 5,500 miles along the east coast of the United States, supplies 45% of the oil and gas to that region. According to media reports on Friday, the company paid a 75 bitcoin ransom—worth around $5 million, to restore service faster. The company was able to resume operations by Wednesday night

Ransomware attacks are on the rise. According to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks worldwide in 2020. This was a 62 percent increase from a year prior, and the second-highest figure since 2014 with the highest on the record being 638 million attacks in 2016.

Understanding the Colonial Pipeline Attack:

What happened:

Colonial Pipeline a critical supply engine for 45% of the oil and gas for the east coast, was hit with a ransomware attack. As per a Bloomberg report, the hackers began their attack on Thursday (6th May) stealing about 100 GBs of data.

Who was responsible:

The FBI blamed Darkside, a hacking group that targets victims using ransomware and extortion, for this attack.

The impact:

A Department of Transportation agency posted a regional emergency declaration for 18 states and Washington, DC, "in response to the unanticipated shutdown of the Colonial Pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States." The shortage has caused an increase in the average price of gas in the US, which rose from six cents, to $2.96 per gallon, according to AAA.

How Colonial responded:

In a statement, Colonial said it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems."

On Tuesday, Colonial said it had worked with shippers to deliver about 41 million gallons to delivery points along its pipeline. The company also said it had taken delivery of about 84 million gallons from refineries as it readies to reopen its pipeline

FBI Recommendations to deal with ransomware attacks:

The FBI has released and proposed ways to protect businesses from ransomware attacks.

• Immediately secure backup data or systems by taking them offline.
• Contact law enforcement immediately.
• Collect and secure partial portions of the ransomed data that might exist.
• Change all online account passwords and network passwords after removing the system from the network.
• Delete registry values and files to stop the program from loading.

Learnings from the Colonial Pipeline hack:

With increased pressure to improve operating efficiency, energy and utility companies are adopting automation and operational technologies (OT) which means “merging” of systems within critical infrastructure networks. Pipelines, electricity grids, and water supply are now equipped and controlled by electronic network equipment that ultimately has a connection to the internet creating a whole new attack surface.

There is a need for a proactive cyber risk management approach to face these new-age cyber-attacks. Energy and utility firms:

• Need a proactive and integrated approach to IT and cyber risk management
• Should continuously monitor their attack surface for any vulnerabilities
• Must have a comprehensive business continuity and disaster recovery plan
• Need a quantitative approach to measure and prioritize cyber risks
• Should monitor extended enterprise ecosystem (third and fourth parties) for cyber risks
• Should work on achieving complete visibility of IT and cyber risks and removing silos
• Be IT and cyber compliance ready all the time to make sure they are not missing on cyber hygiene and win the confidence of auditors and management

Conclusion:

To cater to these new kinds of cyber-attacks, energy and utility firms should proactively monitor their attack surface for any kind of vulnerabilities and have a robust business continuity and disaster recovery plan in place to build cyber resilience.

MetricStream has helped Fortune 500 oil and gas companies and energy utility providers to build operational and cyber resilience, increasing operational efficiency. Please reach out to us if you'd like to schedule a demo or learn more about how we can help secure your critical infrastructure OT environment and help you build cyber resilience.