{"id":9696,"date":"2022-05-18T18:14:00","date_gmt":"2022-05-19T01:14:00","guid":{"rendered":"https:\/\/essential.construction\/news\/?p=9696"},"modified":"2022-05-18T18:14:00","modified_gmt":"2022-05-19T01:14:00","slug":"how-the-colonial-pipeline-attack-instilled-urgency-in-cybersecurity","status":"publish","type":"post","link":"https:\/\/essential.construction\/news\/how-the-colonial-pipeline-attack-instilled-urgency-in-cybersecurity\/","title":{"rendered":"How the Colonial Pipeline attack instilled urgency in cybersecurity"},"content":{"rendered":"

In the infosecurity world, this was the 5 a.m. phone callthat many feared, but few were prepared to handle.<\/strong><\/p>\n

In the early hours of May 7, 2021, a Colonial Pipeline worker discovered a ransom note inside the company\u2019s IT systems. Threat actors linked to the DarkSide ransomware organization had gained access to an outdated VPN account.\u00a0<\/p>\n

The compromise, leveraged to encrypt data on the company\u2019s systems, left Colonial\u2019s massive operational technology (OT) network, including a 5,500 mile pipeline, at risk of remote takeover.\u00a0<\/p>\n

For days, millions of Americans on the East Coast, from small business owners to commercial truckers, faced lines at the gas pump not seen in the U.S. since the ’70s. Gas prices shot up, consumers began to hoard dwindling supplies and numerous fuel stations shuttered as Colonial, the largest U.S. refined oil supplier, held secret negotiations to regain access to its computer systems.\u00a0<\/p>\n

\u201cColonial Pipeline is the most consequential cyberattack on U.S. energy infrastructure to date,\u201d said Mark Plemmons, senior director of threat intelligence at Dragos.<\/p>\n

The impact of the attack went well beyond the cybersecurity community, and garnered the attention of the general public and corporate boardroom officials, according to Plemmons. The attack helped lead to a greater focus on security involving industrial control systems (ICS) and operational technology at all levels.<\/p>\n

Private industry and government agencies alike have placed an increased focus on ICS security, prioritizing sector resilience and sharing intelligence, in an effort to prepare government officials and infrastructure providers for when the next major cyberattack hits.<\/p>\n

“Colonial Pipeline was a galvanizing event for the country,” Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency, said during a virtual forum on May 5 sponsored by the Advanced Technology Academic Research Center (ATARC)<\/a>. \u201cRaising awareness about the potential threats and risks for cyberattack. It\u2019s not just ones and zeros inside of computers. These attacks could have real implications for our way of life.\u201d<\/p>\n

What flowed from the Colonial Pipeline attack is the realization in Congress and the critical infrastructure community that cyberattacks must be taken more seriously. Cybersecurity risk is no longer just a problem to be addressed inside network operations centers or CISO offices, Wales said.\u00a0<\/p>\n

Critical infrastructure providers in the U.S. are facing a series of evolving threats on a never-before-seen scale. Since the launch of the Ukraine war in February, advanced persistent threat actors have developed custom malware designed to sabotage or even destroy critical infrastructure facilities. Criminal ransomware gangs too have proven on multiple occasions they can hold major manufacturing companies and essential services hostage using double extortion techniques and targeted attacks.<\/p>\n

This, coupled with the pivot to the remote operations of the nation’s critical infrastructure \u2014 a change made amid the onset of COVID-19 \u2014 has increased dependence on automation and artificial intelligence. It adds new, digital access points to critical systems.<\/p>\n

\u201cMany operating technologies \u2013 things like pumps and pipelines and turbines \u2013 that used to be analog or isolated, are now digitized and networked with IT systems,\u201d said Leo Simonovich, VP and global head of industrial cyber at Siemens Energy.<\/p>\n

Digital devices enable remote operations, as well as greater efficiencies and lower emissions, according to Simonovich. However, digitalization exposes a lot more infrastructure to cyberattacks.\u00a0<\/p>\n

Siemens conducted a study with the Ponemon Institute<\/a> in October 2019, months before the international COVID-19 outbreak, showing utility companies were increasingly vulnerable to cyberattack. The global survey of 1,726 utility professionals responsible for OT cybersecurity showed 54% of them expected an attack within a 12-month period.\u00a0<\/p>\n

More than half reported a shutdown or operational data loss each year.<\/p>\n

Energy is one 16 critical infrastructure sectors the U.S. government is working to secure, each a mission-critical facet of daily life that, if disrupted, could wreak havoc. The Department of Energy (DOE) has a partnership program with energy manufacturers called Cyber Testing for Resilient Industrial Control Systems to identify and triage software and hardware vulnerabilities.\u00a0<\/p>\n

Officials in the energy industry have been concerned about the growing threats to pipelines and other oil and gas infrastructure, particularly due to the threat environment stemming from Russia’s invasion of Ukraine.\u00a0<\/p>\n

\u201cCybersecurity is a top priority of the natural gas and oil industry and we are committed to the safe operations of our nation\u2019s critical infrastructure – like pipelines,\u201d said Suzanne Lemieux, director of operations security and emergency response policy at the American Petroleum Institute.\u00a0<\/p>\n

The organization has been working closely with federal partner agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, National Security Agency,\u00a0and DOE, to ensure member companies are protected from malicious cyber activity.\u00a0<\/p>\n

Pipeline security has been a lingering concern for several years, but it was not adequately addressed by existing government oversight. A 2019 threat assessment from the Office of the Director of National Intelligence identified China as having the ability to disrupt natural gas pipelines for up to several weeks. A 2021 CISA and the FBI advisory <\/a>cited a Chinese spearphishing and intrusion campaign from 2011-2013, resulting in 13 confirmed compromises against natural gas operators.\u00a0<\/p>\n

The Transportation Security Administration issued a directive in May 2021 ordering pipeline operators to report any potential cyberattacks to CISA and have an onsite cybersecurity coordinator<\/a> available. A second directive in July 2021 called for pipeline operators to mitigate vulnerabilities and boost resilience as well as develop contingency plans.\u00a0\u00a0<\/p>\n

Some administration proposals, includingTSA pipeline cyber directives<\/a>, have received significant pushback from key industry officials and congressional figures as overly burdensome.\u00a0<\/p>\n

\u201cThe federal government\u2019s issuance of security directives problematically redirected cyber resources away from security and towards compliance,\u201d Kimberly Denbow, managing director, Security and Operations Cybersecurity Action Plan at the American Gas Association, said via email. \u201cThey offered minimal opportunity for operator engagement, have overly prescriptive requirements on pipeline systems that are expansively diverse, and have compliance based entirely on [an] arbitrary timeline.\u201d<\/p>\n

Earlier this month, the Department of Transportation\u2019s Pipeline and Hazardous Materials Safety Administration (PHMSA)\u00a0announced plans to levy<\/a> up to $1 million in penalties against Colonial Pipeline related to multiple control room violations.<\/p>\n

PHMSA officials told Cybersecurity Dive the violations listed for Colonial Pipeline were \u201cnot exclusive to one operator.\u201d And while the agency continues to respond to noncompliance issues it also \u201cconducts outreach to increase awareness and help the pipeline industry prepare for and safely respond to any future cyberattacks,\u201d the agency said in an email.<\/p>\n

Colonial Pipeline has taken steps to reform its internal procedures in the wake of the attack. The company hired Adam Tice<\/a>, a veteran cybersecurity leader as its first-ever CISO. It has also been working to fill its internal cybersecurity staff with additional hires.\u00a0<\/p>\n

The company said it is working closely with government and industry partners to share lessons learned and to collaborate against future threats.<\/p>\n

\u201cThis attack on our nation\u2019s critical infrastructure was felt far and wide and served as a reminder to all that cyber threats are real and we must continue to rigorously protect our critical infrastructure,\u201d a Colonial spokesperson said.\u00a0<\/p>\n

Despite potential fines, government officials have largely praised Colonial for working with law enforcement and other agencies to help recover more than half the $4.4 million ransom payment from the DarkSide ransomware organization.\u00a0\u00a0<\/strong><\/p>\n

FBI Director Christopher Wray, during a speech before the Detroit Economic Club<\/a>, cited Colonial\u2019s outreach during the DarkSide attack for helping it recover the bitcoin funding through a court-approved clawback operation.\u00a0<\/p>\n

Colonial immediately called the FBI\u2019s Atlanta field office, according to Wray, and the Atlanta office knew the FBI had a six month investigation underway against DarkSide already.\u00a0<\/p>\n

\u201cWithin hours of their initial report, we were pushing Colonial relevant technical information, along with remediation tactics, techniques and procedures,\u201d he said.\u00a0<\/p>\n

The FBI worked with CISA and the DOE to bring their resources into the equation, while the FBI\u2019s San Francisco office identified a compromised VPN account as the intrusion vector, Wray recalled.<\/p>\n

\u201cBecause Colonial reached out so quickly, we were also able to identify and seize the virtual currency wallet belonging to the hackers,\u201d Wray said, according to a transcript of his prepared remarks.\u00a0<\/p>\n

This item was originally posted here: Read More<\/a><\/p>","protected":false},"excerpt":{"rendered":"

In the infosecurity world, this was the 5 a.m. phone callthat many feared, but few were prepared to handle. In … Read more<\/a><\/p>\n","protected":false},"author":0,"featured_media":9697,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1066,457],"tags":[],"class_list":["post-9696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-all-posts","category-construction-dive","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"_links":{"self":[{"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/posts\/9696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/comments?post=9696"}],"version-history":[{"count":0,"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/posts\/9696\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/media\/9697"}],"wp:attachment":[{"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/media?parent=9696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/categories?post=9696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/essential.construction\/news\/wp-json\/wp\/v2\/tags?post=9696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}