Experts Insight On US Pipeline Shut After Cyberattack

BACKGROUND:

US fuel pipeline operator Colonial Pipeline has temporarily halted all pipeline operations after a cyberattack, the company said in a statement late on Friday. The company is a major US supplier of gasoline, diesel, jet fuel, and other refined products. It transports around 45% of fuel supplies around the US east coast. Colonial Pipeline said it learned of the attack on Friday, but provided no details of the type of hacking incident. In response, the firm took systems offline to contain the threat, it said in the statement. This temporarily halted operations and affected some of its IT systems, it said.

The following cybersecurity experts have provided comment on this story:

Experts Comments

May 11, 2021
Neil Stobart
VP of Global System Engineering
Cloudian

The recent cyber-attack on the largest fuel pipeline in the US has shown that ransomware can pose a critical risk not only to businesses but also to national industrial infrastructure. In this case, the attack could affect the lives of millions of American citizens and businesses as the pipeline carries 45% of the East Coast's supply of diesel, gasoline, and jet fuel.

 

Attacks such as this shouldn't come as a surprise, as ransomware has become the biggest cybersecurity threat over the past

.....Read More

The recent cyber-attack on the largest fuel pipeline in the US has shown that ransomware can pose a critical risk not only to businesses but also to national industrial infrastructure. In this case, the attack could affect the lives of millions of American citizens and businesses as the pipeline carries 45% of the East Coast's supply of diesel, gasoline, and jet fuel.

 

Attacks such as this shouldn't come as a surprise, as ransomware has become the biggest cybersecurity threat over the past year. Cases like Colonial’s, where cyber criminals threaten to delete all the data taken hostage from the victim's network, demonstrate how important it is for organisations in all sectors to focus on not only preventing attacks but also ensuring they are able to recover should their defences fail.

 

One of the best ways to protect data from ransomware attacks is at the storage level by creating an immutable backup copy. This prevents malware from encrypting the data. If your organization gets hit by ransomware, you can quickly and easily recover the unchanged backup copy without paying the ransom, thereby ensuring business continuity and, in this particular case, minimal impact on people’s lives.

  Read Less
May 12, 2021
Keatron Evans
Principal Security Researcher
Infosec

I want to first address the world of Ransomware. The more I learn about this incident, the more it sounds like they either paid or are considering paying the ransom. Facepalm? Not so fast, as organizations paying the ransom happens more commonly than it might seem. There are several occasions where I've even advised it under specific circumstances. Without knowing more details we can't even say if Colonial has paid or what special conditions might warrant them paying, but a few things like

.....Read More

I want to first address the world of Ransomware. The more I learn about this incident, the more it sounds like they either paid or are considering paying the ransom. Facepalm? Not so fast, as organizations paying the ransom happens more commonly than it might seem. There are several occasions where I've even advised it under specific circumstances. Without knowing more details we can't even say if Colonial has paid or what special conditions might warrant them paying, but a few things like not having good backups, and not having a good response plan in place to deal specifically with ransomware come to mind. Many people don't realize that having a network or device hit with ransomware is the operational equivalent to it losing power and being shut off. And when you consider that as it relates to a pipeline operator, those consequences could be catastrophic, and have severe economic and public health impact immediately. I've sat in many rooms and went over these scenarios with national infrastructure and energy providers and the possibilities are terrifying. So faced with those possibilities and what could happen, I would not be surprised at all to eventually discover that some ransom has been paid. 

 

These networks that actually run, and monitor the pipelines, are generally Supervisory Control and Data Acquisition or SCADA and Industrial Control Systems or ICS networks. Traditionally these networks have been "air-gapped" or physically separated from any other networks, including the internet.  This led to extreme lags in updates and patching, as the logic was if they're not ever connected to anything, there's no rush to patch or update. Not to mention some of the equipment and protocols in use are often so old that they don't support, anti-virus, updates, or any other security controls. Fast forward and those networks now needed to take advantage of the amazing innovations we were making in the networks outside those. So largely decisions were made to "join" these traditionally air-gapped networks to the technologically advanced corporate networks which came with great benefits, easier management and the chance to not depend outdated and unsupported software and protocols so much. The SCADA vendors followed suit by updating their hardware to support modern technologies and take advantage of the internet. And updated IoT devices to the mix and you got a perfect storm of great innovation and wide-open attack vectors. Currently Colonial has not disclosed whether or not the attackers actually made it to the internal pipeline network, but if they did, it's possible they might have found a security wall that resembled a big piece of swiss cheese, holes everywhere.  They are most likely rightfully being advised to say as little as possible this early, so we will have to wait and see what else comes out in the next week or so. 

  Read Less
May 11, 2021
Daniel Smith
Head of Security Research
Radware

Today's threats, without a doubt, require full-spectrum solutions, but nothing will change the threat landscape without firm action from governments around the world. No task force against ransomware will solve this unless we are ready to address international loopholes and arrest criminals who operate with impunity from specific regions in the world. Giving advice to organizations on “not clicking links” or “not paying ransomware authors” has clearly not the answer. Nothing will change

.....Read More

Today's threats, without a doubt, require full-spectrum solutions, but nothing will change the threat landscape without firm action from governments around the world. No task force against ransomware will solve this unless we are ready to address international loopholes and arrest criminals who operate with impunity from specific regions in the world. Giving advice to organizations on “not clicking links” or “not paying ransomware authors” has clearly not the answer. Nothing will change until we have the international law and the power to arrest actors in countries that are hacking us like Russian and China. The same should be applied to us. Nation-states should have the ability to detain US citizens suspected of hacking as well. Once we have a strong governing law with consequences, then we will see change. 

  Read Less
May 11, 2021
Pascal Geenens
Threat Intelligence
Radware

The Colonial pipeline ransomware attack demonstrates yet again the significant impact of ransomware attacks. Once ransomware actors get an initial foothold, no system is safe. These new higher-end/professionalized ransomware attacks are harder to defend against because of the automated and human intervention where human actors pick the targets and operate the attack. There is a growing underground economy where ransomware operators have access to verified credential lists, attack tools, and

.....Read More

The Colonial pipeline ransomware attack demonstrates yet again the significant impact of ransomware attacks. Once ransomware actors get an initial foothold, no system is safe. These new higher-end/professionalized ransomware attacks are harder to defend against because of the automated and human intervention where human actors pick the targets and operate the attack. There is a growing underground economy where ransomware operators have access to verified credential lists, attack tools, and malware platforms. This is a game-changer. Previously, gangs could never pull this off on their own, but now they can because of underground trading. The world is facing a severe enemy in ransomware and no one is safe. Authorities should not lose sight of this threat and continue or increase their resources in the fight against ransomware actors.

  Read Less
May 12, 2021
Adam Enterkin
SVP, EMEA
BlackBerry

Using AI technology helps prevent ransomware attacks like the Colonial Pipeline breach, by spotting anomalies and blocking future unknown attacks that traditional antivirus tools wouldn't recognise and would get lost in the noise with traditional EDR tools. We don’t feel any company should fall prey to these types of attack, and by adopting a prevention-first strategy, they won’t. Humans and tech must work hand in hand, so the professionals are equipped with the right knowledge and

.....Read More

Using AI technology helps prevent ransomware attacks like the Colonial Pipeline breach, by spotting anomalies and blocking future unknown attacks that traditional antivirus tools wouldn't recognise and would get lost in the noise with traditional EDR tools. We don’t feel any company should fall prey to these types of attack, and by adopting a prevention-first strategy, they won’t. Humans and tech must work hand in hand, so the professionals are equipped with the right knowledge and skillsets to keep our enterprises, and our country, safe, even before the attackers have the chance to strike.

  Read Less
May 12, 2021
Christine Gadsby
VP of Product Security
BlackBerry

It doesn’t matter whether you’re securing a gas pipeline or life-saving medical devices, securing critical embedded systems presents unique and complex challenges. The reality is that utility companies are more often investing in IT to drive greater levels of convenience, which means that security is sometimes addressed in a siloed fashion and deprioritised during times where budgets are scarce.  

 

On top of this, cybersecurity attacks have ramped up in volume and ferocity since the COVID-19

.....Read More

It doesn’t matter whether you’re securing a gas pipeline or life-saving medical devices, securing critical embedded systems presents unique and complex challenges. The reality is that utility companies are more often investing in IT to drive greater levels of convenience, which means that security is sometimes addressed in a siloed fashion and deprioritised during times where budgets are scarce.  

 

On top of this, cybersecurity attacks have ramped up in volume and ferocity since the COVID-19 pandemic began a year ago. This recent attack should serve as an important wake-up call for all those who have a role to play in securing critical embedded systems that these days threat actors will stop at nothing to cause harm, sometimes regardless of whether there is a financial gain to be had. The only way to keep the enemy out is to ensure you have good cyber hygiene practices in place, as well as cutting edge cybersecurity solutions that can detect, protect and deter this sort of attack in the future.  

  Read Less
May 12, 2021
Terry Olaes
Technical Director
Skybox Security
  • Hackers now see critical infrastructure as low-hanging fruit. With the rise of Industrial IoT sensors coupled with outdated legacy IT systems not designed to withstand blistering hacks, this makes critical infrastructure a perfect target for cybercriminals. 

 

  • Recent research highlights how these types of attacks continue to trend upward as OT attacks jumped by 30% in 2020 alone and IIoT flaws increased 308% year-over-year.

 

  • Leaders in this space are often in a Catch 22. OT-reliant
.....Read More
  • Hackers now see critical infrastructure as low-hanging fruit. With the rise of Industrial IoT sensors coupled with outdated legacy IT systems not designed to withstand blistering hacks, this makes critical infrastructure a perfect target for cybercriminals. 

 

  • Recent research highlights how these types of attacks continue to trend upward as OT attacks jumped by 30% in 2020 alone and IIoT flaws increased 308% year-over-year.

 

  • Leaders in this space are often in a Catch 22. OT-reliant industries (such as utilities and manufacturing) can’t afford to shut down for comprehensive overhauls of legacy technology; freezing operations means lost dollars. Hackers are seizing the opportunity to attack OT-reliant organisations, enterprises, and governments, knowing they will pay hefty ransoms to prevent disruption. 

 

  • Additionally, OT device vulnerability scans and remediation often happen only once or twice per year, if at all, limiting visibility on the constantly evolving threats and leaving vulnerabilities unpatched for months. Years of computer and network neglect only compound the urgent need to shore up security. 

 

  • Apathy is arguably the most significant risk to critical infrastructure security. Security and facility leaders in OT-dependent industries must evolve their thinking and take action to avoid ending up in the crosshairs of a hacker. 

 

  • Taking a proactive approach to visualize and analyse IT/OT networks and hybrid, multi-cloud collectively will provide critical insight into the attack surface and help prevent future OT attacks from happening. 
  Read Less
May 12, 2021
Matt Trushinski
Technical Director
Arctic Wolf

Ransomware-as-a-Service is big business and we are not surprised groups like DarkSide are capitalizing on extortion techniques that are quickly becoming a hallmark for many eCrime actors. The hallmark of DarkSide attacks, among other eCrime groups, is that they do extensive research on their targets and are mainly interested in large corporations. This creates a sense of urgency especially as we see critical infrastructure suffering kinetic impact. This situation illustrates a growing security

.....Read More

Ransomware-as-a-Service is big business and we are not surprised groups like DarkSide are capitalizing on extortion techniques that are quickly becoming a hallmark for many eCrime actors. The hallmark of DarkSide attacks, among other eCrime groups, is that they do extensive research on their targets and are mainly interested in large corporations. This creates a sense of urgency especially as we see critical infrastructure suffering kinetic impact. This situation illustrates a growing security crisis. It’s imperative that if prevention fails, there is a world-class security operations infrastructure in place to detect, manage, and mitigate any threat.

  Read Less
May 12, 2021
Miles Tappin
VP of EMEA
ThreatConnect

The ransomware attack against the Colonial Pipeline company not only shut down operations across one of the US’s most crucial 5,500-mile energy infrastructures but it exposed a significant weakness in the national cybersecurity strategy that has been 20 years in the making. 

 

This latest incident should be a red line for US critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although much work has gone into hardening industrial control systems during

.....Read More

The ransomware attack against the Colonial Pipeline company not only shut down operations across one of the US’s most crucial 5,500-mile energy infrastructures but it exposed a significant weakness in the national cybersecurity strategy that has been 20 years in the making. 

 

This latest incident should be a red line for US critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although much work has gone into hardening industrial control systems during the last decade, they remain vulnerable to a wide variety of cyber threats because of connections between business and operational networks.

 

There are now malicious actors who are characterising themselves as bona fide businesses with their own set of ethics, but who are themselves not in control of their overall impact due to the interconnectedness of businesses and operational networks. These interconnections lay bare the networks that power the economy and way of life — networks that now face cyber-attacks and adversaries increasing in sophistication.

 

The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of individual businesses an urgent priority. Critical infrastructure cybersecurity must adopt a risk-led security strategy backed by a real-time decision and operational support system to ensure it can mitigate future threats.

  Read Less
May 12, 2021
Nikos Mantas
Incident Response Expert
Obrela Security Industries

The attack against Colonial Pipeline could be one of the biggest security incidents the world has ever witnessed, especially since it has the potential to impact millions of American citizens’ daily lives.

 

Today, many people in the US will find it difficult to get into the places of work because of the shortage of fuel – regardless of whether their commute is by car or plane.

 

The aftereffects of the attack will also be significant, and Americans can also expect to see a rise in fuel prices.

.....Read More

The attack against Colonial Pipeline could be one of the biggest security incidents the world has ever witnessed, especially since it has the potential to impact millions of American citizens’ daily lives.

 

Today, many people in the US will find it difficult to get into the places of work because of the shortage of fuel – regardless of whether their commute is by car or plane.

 

The aftereffects of the attack will also be significant, and Americans can also expect to see a rise in fuel prices. How steep they climb will be determined by how long Colonial Pipeline’s network is down.

 

To protect against this threat, prevention is always better than cure. Organisations should instead focus on building higher and stronger walls around their data. To do this employees awareness on ransomware is vital, as are continuous backups and up to date software and security solutions on all devices accessing the IT network.

  Read Less
May 12, 2021
Alan Grau
VP of IoT
Sectigo

The recent cyberattack on the Colonial Pipeline shows how cybercriminals are escalating their attacks. This is one of the most disruptive ransomware attacks ever reported and illustrates how cybercriminals are attacking ever more critical targets with an endgame of extracting ever-larger ransom fees. This also shows how vulnerable a nation’s critical infrastructure is to cyberattacks. Colonial Pipeline, the operator of the system, said that it shut down its 5,500 miles of pipeline in an

.....Read More

The recent cyberattack on the Colonial Pipeline shows how cybercriminals are escalating their attacks. This is one of the most disruptive ransomware attacks ever reported and illustrates how cybercriminals are attacking ever more critical targets with an endgame of extracting ever-larger ransom fees. This also shows how vulnerable a nation’s critical infrastructure is to cyberattacks. Colonial Pipeline, the operator of the system, said that it shut down its 5,500 miles of pipeline in an effort to contain the breach. While it is not clear if the ransomware attack spread to the SCADA systems directly controlling the pipeline, it is clear that stronger security is needed.

 

Critical infrastructure providers must harden all of their systems against cyber-attacks. The embedded devices and control systems managing critical infrastructure are not isolated from the IT systems, and attacks against IT systems can be used as a beachhead to launch further attacks against these control systems. Multiple levels of security starting with strong authentication and S/MIME protection for email provides a layer of protection against phishing attacks and other cyberattacks that are commonly used as entry points for ransomware attacks.

 

Reports indicate that the attackers, in this case, were motivated solely by financial gain. Had this been a nation-state wanting to damage the cyber-physical systems controlling the pipeline, they may have been able to do so. Company statements indicate that they shut down the pipeline to ensure that no such damage was done, but it’s not clear if this was done because the company detected the attack and responded proactively, or if this occurred after the ransomware attack shut-down critical IT systems.

  Read Less
May 12, 2021
Miles Tappin
VP of EMEA
ThreatConnect

The ransomware attack against the Colonial Pipeline company not only shut down operations across one of the US’s most crucial 5,500-mile energy infrastructures but it exposed a significant weakness in the national cybersecurity strategy that has been 20 years in the making. 

This latest incident should be a red line for US critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although much work has gone into hardening industrial control systems during

.....Read More

The ransomware attack against the Colonial Pipeline company not only shut down operations across one of the US’s most crucial 5,500-mile energy infrastructures but it exposed a significant weakness in the national cybersecurity strategy that has been 20 years in the making. 

This latest incident should be a red line for US critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although much work has gone into hardening industrial control systems during the last decade, they remain vulnerable to a wide variety of cyber threats because of connections between business and operational networks.

There are now malicious actors who are characterising themselves as bona fide businesses with their own set of ethics, but who are themselves not in control of their overall impact due to the interconnectedness of businesses and operational networks. These interconnections lay bare the networks that power the economy and way of life — networks that now face cyber-attacks and adversaries increasing in sophistication.

The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of individual businesses an urgent priority. Critical infrastructure cybersecurity must adopt a risk-led security strategy backed by a real-time decision and operational support system to ensure it can mitigate future threats.

  Read Less
May 11, 2021
Stephen Bradford
SVP EMEA
SailPoint

Critical national infrastructure is no exception for cyber criminals, as the ransomware attack on the US’s largest fuel pipeline shows. 

 

Now, governments and businesses alike face the threat of bigger, more sophisticated attacks from ransomware – ones where cyber criminals have worked methodically to develop software to steal vast quantities of data, and where they can take advantage of vulnerabilities that come with multiple access points from remote working. 

 

Ransomware has become so

.....Read More

Critical national infrastructure is no exception for cyber criminals, as the ransomware attack on the US’s largest fuel pipeline shows. 

 

Now, governments and businesses alike face the threat of bigger, more sophisticated attacks from ransomware – ones where cyber criminals have worked methodically to develop software to steal vast quantities of data, and where they can take advantage of vulnerabilities that come with multiple access points from remote working. 

 

Ransomware has become so effective that many organisations have simply paid ransom, sometimes to the tune of thousands of dollars. Multiple security controls must be standard best practice for cyber security, to reduce the risk of ransomware along with other malicious malware threats.”

  Read Less
May 11, 2021
Brad Brooks
CEO and President
OneLogin

This attack represents how quickly the stakes are escalating on Cybersecurity, with controlling and knowing who has access to your IT systems a board level priority for every company. We are moving from an invisible Cold War that was focused on stealing data to a highly visible hot war that has real implications for physical property and people’s lives.

May 11, 2021
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys

The Colonial Pipeline cyberattack serves as a wakeup call to anyone using software to power their business. Cybercriminals don’t really care how important your business is, only how much money they might extract from you. This trend can be seen with increasing attacks on municipalities, healthcare systems, and elements of critical infrastructure. Each of these organizations will bring in law enforcement, yet attackers continue to be aggressive in their activities. While Colonial Pipeline is a

.....Read More

The Colonial Pipeline cyberattack serves as a wakeup call to anyone using software to power their business. Cybercriminals don’t really care how important your business is, only how much money they might extract from you. This trend can be seen with increasing attacks on municipalities, healthcare systems, and elements of critical infrastructure. Each of these organizations will bring in law enforcement, yet attackers continue to be aggressive in their activities. While Colonial Pipeline is a US operation, attacks are global in scope. And despite warnings from officials like the US Treasury Department highlighting how ransomware payments are used to fund future criminal activities, victims are often faced with the difficult decision of whether to pay the ransom.

 

Avoiding becoming a victim of ransomware requires organizations to have a comprehensive cybersecurity plan in place that fully captures the risks of each software component, its role and lifecycle, and its deployment configuration and usage assumptions. Armed with this basic information, and an exhaustive inventory, it becomes possible to determine how each component might play a role in an attempted ransomware attack. An effort like the one impacting Colonial Pipeline is likely the result of multiple weaknesses in process and cyber-defences that were ultimately successfully exploited. With the age of some industrial software systems far exceeding that of commercial software, it’s likely that older software wasn’t designed to limit exposure to modern threats like ransomware attacks. While the age of the software has limited impact on its serviceability, threat models and defensive protections need to keep pace with new threats – something that can only be done if all weaknesses present in each component are known and accounted for. After all, if a criminal can identify your weaknesses faster than you can, luck is rarely on your side.

  Read Less
May 11, 2021
Lior Div
CEO and co-founder
Cybereason

Cyberattacks are so pervasive that people are somewhat numb to headlines of the breach or compromise du jour. We live in a world of insecurity where hackers have the advantage over many enterprises trying to protect their computer networks. Nowhere is that more evident than with critical infrastructure providers, who are facing a constant barrage of cyber­­attacks from motivated and oftentimes well-funded groups of cybercriminals and state-sponsored actors. There are fewer strains of

.....Read More

Cyberattacks are so pervasive that people are somewhat numb to headlines of the breach or compromise du jour. We live in a world of insecurity where hackers have the advantage over many enterprises trying to protect their computer networks. Nowhere is that more evident than with critical infrastructure providers, who are facing a constant barrage of cyber­­attacks from motivated and oftentimes well-funded groups of cybercriminals and state-sponsored actors. There are fewer strains of ransomware being deployed yet the existing strains rake more gains. Threat actors do this by better targeting.

 

The SolarWinds and Microsoft Exchange Server attacks were unparalleled in their scope, successfully infiltrating and compromising virtually every US government agency and a wide array of medium and large private sector companies. The Colonial Pipeline attack reinforces the need to update legacy systems running today’s critical infrastructure networks. How the Biden administration responds to the broader and more wide-scale attacks will be a part of the administration’s legacy.

 

If the public and private sectors can work together to solve complex cybersecurity issues, and at the same time accurately identify the threat actors and bring them to account for their actions, it will go a long way in reversing the adversary advantage and enable defenders to retake the high ground. There is also another significant opportunity here as well to cooperate on a global scale to develop extradition laws that enable cybercrimes and cyber espionage to be prosecuted more effectively.

  Read Less
May 11, 2021
Steve Forbes
Government Cyber Security Expert
Nominet States
The declaration of a state of emergency due to cyber attack could become the new normal. With the largest fuel pipeline in the US grinding operations to a halt due to a ransomware attack, the attack on Colonial is likely to have a ripple effect across the globe.
 
 
The attack will be a stark reminder of how connected our world now is. While the demand for oil across the US East Coast is evident, the fact that this is already impacting the financial markets and traders, demonstrates that it
.....Read More
The declaration of a state of emergency due to cyber attack could become the new normal. With the largest fuel pipeline in the US grinding operations to a halt due to a ransomware attack, the attack on Colonial is likely to have a ripple effect across the globe.
 
 
The attack will be a stark reminder of how connected our world now is. While the demand for oil across the US East Coast is evident, the fact that this is already impacting the financial markets and traders, demonstrates that it really is the tip of the iceberg. That’s not to mention the fact that the severity of this breach will worsen if confidential information is leaked, as the group has threatened. Being able to take systems offline and begin a process of restoration is undeniably important, but there is an additional threat if this data is exposed. It underlines the importance of international collaboration to bring down these highly coordinated groups early in their development if we want to protect our critical services.
 
 
As we watch the domino effect of this cyber attack, it is very apparent that impact is not limited to systems and software - victims will come in all shapes and sizes, from industries to individuals.
  Read Less
May 11, 2021
Andrew Rubin
CEO
Illumio

This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe.

 

It’s an absolute nightmare, and it’s a recurring nightmare. Organizations continue to rely and invest entirely on detection as if they can stop all breaches from happening. But this approach misses attacks over and over again. Before the next inevitable breach, the President and Congress need to take action on our broken security model. This begins (but does

.....Read More

This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe.

 

It’s an absolute nightmare, and it’s a recurring nightmare. Organizations continue to rely and invest entirely on detection as if they can stop all breaches from happening. But this approach misses attacks over and over again. Before the next inevitable breach, the President and Congress need to take action on our broken security model. This begins (but does not end) with the adoption of a Zero Trust strategy.

 

But instead of talking about and doing the hard work we need to do, we’ll watch the financial markets on Monday reward the entire security industry for failing to stop modern attacks from spreading into a disaster.

  Read Less
May 11, 2021
Jake Moore
Cybersecurity Specialist
ESET

Purchasing ransomware is now far easier than ever and attempts on critical national industrial infrastructure, as well as businesses, are increasing at an alarming rate. As a result, many are struggling to keep up with the tsunami of attacks.

 

These attacks leave organisations in a complex quandary, with multiple questions to answer – including whether or not to pay the ransom – all up against the clock. Failure to comply with the demands could potentially leave them with a huge loss of

.....Read More

Purchasing ransomware is now far easier than ever and attempts on critical national industrial infrastructure, as well as businesses, are increasing at an alarming rate. As a result, many are struggling to keep up with the tsunami of attacks.

 

These attacks leave organisations in a complex quandary, with multiple questions to answer – including whether or not to pay the ransom – all up against the clock. Failure to comply with the demands could potentially leave them with a huge loss of data, unable to function and/or see some of the stolen data spilt on the internet. However, paying the ransom is no guarantee that the data will ever be restored back to its original state. There is also the bitter taste left behind in the aftermath as to how it happened, as well as the immediate costs of preparing for inevitable repeat attempts.

 

Preventative measures make far better security choices: it is always better to patch and protect rather than to pay. However, this can be easier said than done due to the persistence of these threat actors. Organisations of all sizes must ensure they have robust controls in place that protect their email and spam filters, as well as use multi factor authentication and increase user awareness training.

  Read Less
May 11, 2021
John Vestberg
President and CEO
Clavister

The DarkSide ransomware attack on the Colonial Pipeline highlights the increasing risk cyber criminals pose to critical national infrastructure (CNI). CNI, such as oil and gas, is a prime target for these ransomware gangs – systems are underpinned by a myriad of complex information and operational technology devices and so the consequences if these are infiltrated can be devastating. Attacks on CNI risk become the norm if action is not taken.

 

A proactive, rather than reactive approach is

.....Read More

The DarkSide ransomware attack on the Colonial Pipeline highlights the increasing risk cyber criminals pose to critical national infrastructure (CNI). CNI, such as oil and gas, is a prime target for these ransomware gangs – systems are underpinned by a myriad of complex information and operational technology devices and so the consequences if these are infiltrated can be devastating. Attacks on CNI risk become the norm if action is not taken.

 

A proactive, rather than reactive approach is needed. Using predictive analytics and tools like AI or ML, for example, we can see malware morphing and behaving in certain ways and catch it sooner. The DarkSide attack should serve as a warning; CNI systems are becoming more sophisticated and technical – especially as we enter the era of 5G which we will soon rely on. Going forward countries, cannot afford to have any weak spots and must step up their cyber security solutions to support the technology used.

  Read Less
May 11, 2021
Garret F. Grajek
CEO
YouAttest

The effects of this attack are serious enough: stopping 2.5 million barrels per day of refined products from the Gulf Coast to the eastern and southern United States. But is additionally alarming is how the attack group, surmised by researchers as the "Darkside" group hailing out of Russia, is now operating.  (Darkside is selective in their targets and avoids ex-Soviet Union enterprises.)

 

According to Cybereason, Darkside has created an affiliate program - where Darkside creates the malware

.....Read More

The effects of this attack are serious enough: stopping 2.5 million barrels per day of refined products from the Gulf Coast to the eastern and southern United States. But is additionally alarming is how the attack group, surmised by researchers as the "Darkside" group hailing out of Russia, is now operating.  (Darkside is selective in their targets and avoids ex-Soviet Union enterprises.)

 

According to Cybereason, Darkside has created an affiliate program - where Darkside creates the malware and others are financially motivated via an embedded "affiliate" code to other hacking groups for a successful delivery of the malware.

 

This means that there's not just one threat vector to close off, but dozens if not more attack entries to block.

 

How to protect against such attacks?

 

Darkside has often created malware targeted domain controllers - so traditional hardening approaches are crucial, including patching and a fanatical lockdown of admin and service accounts. We must not only be performing regular access reviews of our key admin accounts, but also have instantaneous alerts on any attempts at privilege escalation on these accounts.

  Read Less
May 11, 2021
Tom Garrubba
Senior Director and CISO
Shared Assessments

Numerous agencies including CISA have been trumpeting warnings or ‘calls to action’ to update critical infrastructure for years, and sadly, the time for initial action has long since passed. The evidence is clear: we are under attack by both rogue and state-sponsored organizations and the cyber community along with the general public have taken notice and are getting very worried.

 

Any company whether primary or downstream providing support to our country’s national infrastructure needs to

.....Read More

Numerous agencies including CISA have been trumpeting warnings or ‘calls to action’ to update critical infrastructure for years, and sadly, the time for initial action has long since passed. The evidence is clear: we are under attack by both rogue and state-sponsored organizations and the cyber community along with the general public have taken notice and are getting very worried.

 

Any company whether primary or downstream providing support to our country’s national infrastructure needs to take a good hard look at the systems supporting those processes and ask themselves: “Can we be next? Do we need to update our systems? Do we need assistance to support and secure these systems?” and if so, petition their corporate boards and owners for the requisite financial support in upgrading and securing these systems.

 

 As there is so much talk in Washington D.C. regarding support for a National Infrastructure bill, the time has truly arrived for our congressional representatives to include and support this most critical infrastructure component - the identification, inclusion, and funding for upgrading the various antiquated systems supporting this nation’s critical infrastructure.

  Read Less
May 11, 2021
Ran Pugach
Chief Product and Development Officer
Ava Security

The incident against Colonial Pipeline highlights the increasing risk ransomware is posing to critical national industrial infrastructure, and the physical consequences that these attacks  can have on society. Especially with more than 90% of attacks involving human error, according to the UK’s Information Commissioner’s Office, securing critical national infrastructure against social engineering attacks is essential. We’ve seen similar attacks like this, when the Florida water treatment

.....Read More

The incident against Colonial Pipeline highlights the increasing risk ransomware is posing to critical national industrial infrastructure, and the physical consequences that these attacks  can have on society. Especially with more than 90% of attacks involving human error, according to the UK’s Information Commissioner’s Office, securing critical national infrastructure against social engineering attacks is essential. We’ve seen similar attacks like this, when the Florida water treatment facility was hacked through TeamViewer. 

 

In order to prevent ransomware attacks like this, organisations need to embrace a new approach built around the user as the rise of remote working makes us more exposed than ever. Hackers are experts in social engineering and will use whatever information they can to leverage multiple entry points or avenues to achieve their goals. This can be through malicious emails or suspicious websites. A preventative approach to ransomware protection leverages user education and cyber awareness. Installing end-point detection and response tools is a good first step. These solutions are essential in helping to not only salvage the situation but to be able to investigate and understand where the vulnerability was and how to prevent it in the future. Nevertheless, they have to be complemented with further safeguards that can capture anomalies, understand and correct user behaviour.

  Read Less
May 11, 2021
Gary Kinghorn
Marketing Director
Tempered Networks

While Zero Trust architectures are not necessarily a direct remediation against ransomware, Zero Trust can greatly mitigate the damage that can be done once a user or host is compromised. Lacking Zero Trust, the compromised host can likely navigate to critical infrastructure where it can do real damage. Zero Trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized. It is unlikely that whatever the initial ransomware host

.....Read More

While Zero Trust architectures are not necessarily a direct remediation against ransomware, Zero Trust can greatly mitigate the damage that can be done once a user or host is compromised. Lacking Zero Trust, the compromised host can likely navigate to critical infrastructure where it can do real damage. Zero Trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized. It is unlikely that whatever the initial ransomware host that was compromised would have had authorization to systems that can affect the flow through the pipeline or the control systems. With monitoring and visibility to anomalous traffic, like an accounting PC trying to access a control system, it's possible to even quarantine impacted systems further to restrict what limited Zero Trust access they were previously allowed to further mitigate damage. We can do this with partners that provide ongoing threat intelligence and analysis that can refine Zero Trust policies. Very few security approaches can overcome a trusted employee doing something stupid, as is usually the case with ransomware, but Zero Trust can dramatically limit the damage so it doesn't have significant impact on the business or, in this case, the economy.

  Read Less
May 11, 2021
Nick Cappi
Cyber Vice President, Portfolio Strategy and Enablement
Hexagon

While all the details of the attack are yet to be made public, it appears that this is a ransomware attack that landed on the IT network. In an abundance of caution, Colonial shut down some or all of the industrial control systems to prevent the attack from spreading to these devices. Assuming they are able to isolate the attack and bring the control systems back online within a few days, this will be a shining example of a company’s ability to respond to and mitigate an attack. If they are

.....Read More

While all the details of the attack are yet to be made public, it appears that this is a ransomware attack that landed on the IT network. In an abundance of caution, Colonial shut down some or all of the industrial control systems to prevent the attack from spreading to these devices. Assuming they are able to isolate the attack and bring the control systems back online within a few days, this will be a shining example of a company’s ability to respond to and mitigate an attack. If they are unable to bring the control systems (and the pipeline) back online within a few weeks, the North East of the United States will likely see a steep increase in fuel prices and perhaps shortages and rationing.

  Read Less
May 11, 2021
Maximilian Heinemeyer
Director of Threat Hunting
Darktrace

The Colonial Pipeline ransomware attack is a wake-up call for providers of critical national infrastructure globally. Traditional approaches to ICS security are no longer good enough. 

 

Ransomware attacks are increasing in number in all industry sectors. But for the oil and gas industry, they don’t only cause widespread disruption and risk shutdowns, but also risk endangering the environment and human lives. 

 

Ransomware is a common attack method, with the malware moving very rapidly to

.....Read More

The Colonial Pipeline ransomware attack is a wake-up call for providers of critical national infrastructure globally. Traditional approaches to ICS security are no longer good enough. 

 

Ransomware attacks are increasing in number in all industry sectors. But for the oil and gas industry, they don’t only cause widespread disruption and risk shutdowns, but also risk endangering the environment and human lives. 

 

Ransomware is a common attack method, with the malware moving very rapidly to disable systems and encrypt files at a pace that outstrips the human’s ability to respond fast enough. This is therefore not a human-scale problem. The organizations that are successfully combatting these kinds of machine-speed attacks are using autonomous technology and AI that interrupts the initial threatening activity, as it moves within the inside of the target environment — and critically — before it escalates to a full-blown attack.

  Read Less
May 11, 2021
Chandrashekhar Basavanna
CEO
SecPod

The DarkSide ransomware attack on Colonial Pipeline shows how sophisticated cybercriminals are getting in paralyzing businesses and crippling supply chains. Organizations that have high-stakes impacts on America’s economic interests need to show their ability to maintain critical cybersecurity measures. By making it mandatory to report on IT infrastructure where security automation is deployed, businesses will be able to better protect themselves, their partners, and the public they serve.

.....Read More

The DarkSide ransomware attack on Colonial Pipeline shows how sophisticated cybercriminals are getting in paralyzing businesses and crippling supply chains. Organizations that have high-stakes impacts on America’s economic interests need to show their ability to maintain critical cybersecurity measures. By making it mandatory to report on IT infrastructure where security automation is deployed, businesses will be able to better protect themselves, their partners, and the public they serve. This requires companies to take a very proactive approach to cyber hygiene that includes automated vulnerability scanning and detection across all endpoints, in addition to keeping a level head if they do come face to face with a sophisticated attack. The cyber landscape is continuously changing, so every organization, whether it’s in the public or private sector, needs to make sure they’ve implemented proactive defenses. 

  Read Less
May 11, 2021
Tim Erlin
VP of Product Management and Strategy
Tripwire

One thing to note here is that ransomware has to announce itself to be successful. In industrial environments, cyber events aren’t always this visible. Increasing visibility into industrial networks becomes more important as attackers continue to target critical infrastructure.

May 11, 2021
Andy Norton
European Cyber Risk Officer
Armis

These ‘Cyber Physical’ attacks are a big deal, because they demonstrate just how fragile the provision of critical services are into society. A few weeks ago a water treatment plant was compromised leading to the potential for poisoning of the water. Now, 45% of the US oil energy provision has been switched off to the East coast. Prolonged shortages in critical services lead to civil unrest, economic pressures, and a general lack of confidence in public administration.

 

What is equally

.....Read More

These ‘Cyber Physical’ attacks are a big deal, because they demonstrate just how fragile the provision of critical services are into society. A few weeks ago a water treatment plant was compromised leading to the potential for poisoning of the water. Now, 45% of the US oil energy provision has been switched off to the East coast. Prolonged shortages in critical services lead to civil unrest, economic pressures, and a general lack of confidence in public administration.

 

What is equally troubling is the lack of progress critical infrastructure providers seem to be making in being resilient to these attacks. Both the NIST Cyber Security Framework and the International Society for Automation published ISA 99, now IEC 62443, have been available for several years as the compliance measures for cyber resilience in ICS and critical infrastructure providers. However, it would appear that many of the requirements outlined in the frameworks are not being adhered to because the infection methods of the crime gangs, expected to be DarkSide, are well known and provisioned for in both frameworks. So, it would appear to be missing in practice.

  Read Less
May 11, 2021
Lewis Jones
Threat Intelligence Analyst
Talion

This attack appears to be one of the most disruptive ransomware attacks ever reported, highlighting the vulnerabilities in the energy sector and why it is often targeted by attackers. A long-term ransomware negotiation within the energy sector could cause mass disruption and increase the likelihood of payment. The fact that US government has quickly issued emergency legislation to relax rules on road fuel transportation highlights how concerning this attack is. A longer term implication of the

.....Read More

This attack appears to be one of the most disruptive ransomware attacks ever reported, highlighting the vulnerabilities in the energy sector and why it is often targeted by attackers. A long-term ransomware negotiation within the energy sector could cause mass disruption and increase the likelihood of payment. The fact that US government has quickly issued emergency legislation to relax rules on road fuel transportation highlights how concerning this attack is. A longer term implication of the attack could create a delay in delivery and disruption of the supply chain. This would cause an increase in price at a time when the economy is already fragile due to the current pandemic.

 

Early reporting suggests that the attackers managed to infiltrate the network of Colonial last week and stole almost 100GB of data. So far the attackers have been named "DarkSide," who are known for deploying ransomware. Whilst attribution of the group has never fully been established, it is reported that the group is Russian speaking and tends to avoid attacks on former Soviet states with attacks thus far targeting western based victims.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.