By Gregory Hale
Colonial Pipeline, which operates a major pipeline system that transports fuel across the East Coast, fell victim to a ransomware attack Friday and halted all pipeline operations while it dealt with the incident, company officials said Saturday.

Colonial Pipeline did not say what was demanded or who made the demand. Ransomware attacks are typically carried out by criminal hackers who seize data and demand a large payment in order to release it.

“Cyberattacks are a real and present danger to critical infrastructure around the world and, by extension, every single consumer. If reports are accurate, the Colonial Pipeline incident has all of the markings of a possible ransomware attack that began in the IT environment and, out of precaution, forced the operator to shut down operations,” said Marty Edwards, vice president of OT Security at Tenable and the longest-serving director of the Department of Homeland Security’s ICS-CERT.

RELATED STORIES

“I’m surprised that it took this long for a major incident to happen for a pipeline operator,” said Dewan Chowdhury, chief executive and founder of security provider, malcrawler. “I have spent 20+ years securing and responding to cyberattacks on OT – ICS/SCADA environment. I have worked with dozens of large pipeline operators globally and dozens of the DNG (downstream natural gas) operators who help distribute natural gas to homes and feed gas turbines to produce electricity. Congress identified America’s oil and gas pipeline infrastructure after 9/11 as one of the most critical assets in America due to the massive negative impact an attack on the pipeline would impact the country’s national and energy security.

Resources Behind Attack
“I have responded to nation-state cyberattacks on pipeline infrastructure in the past, and I can tell you that the attackers had the resources to include human assets on the ground to help facilitate a cyberattack. Therefore, when responding to the pipeline cyberattack, we would know by the level of sophistication that these attacks were conducted by groups that have the resources to utilize to plan a sophisticated cyberattack. For example, using rouge networking devices, performing man-in-the-middle attacks to trick the SCADA master by sending fake data sets pointed toward attackers that knew the pipeline system well enough to cause damage/disruption.”

“We should not underestimate these groups,” Edwards said. “Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal corporations operating in the digital world. While it’s unknown how this attack played out, it’s yet another reminder of the increasing threats to critical infrastructure we all rely on.”

While there are critical infrastructure organizations that are tuned in to cybersecurity and what they have to do, however, pipeline operators often don’t fall in to that category.

“In our extensive experience in assessing oil and gas pipelines for several of the country’s largest pipeline operators, we have found that pipeline cybersecurity is far behind that of other energy sectors,” said John Cusimano vice president at aeCyberSolutions, the Industrial Cybersecurity division of aeSolutions. “A common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks which are the networks that connect the pipeline control center to every terminal, pumping station, remote isolation valve and tank farm along the pipeline. These are very large networks covering extensive distances but they are typically ‘flat,’ from a network segmentation standpoint. That means once someone gains access to the SCADA network they have access to every device on the network. While pipeline SCADA networks are typically separated from the company’s business (IT) networks with firewalls, by design, those firewalls pass some data between the networks. For example, network monitoring software, such as SolarWinds, may be permitted through the firewall in order to monitor the SCADA network. These permitted pathways through the firewall are one way malicious software or hackers can move from the IT network into the SCADA network. This was one of my greatest concerns when I first learned of the SolarWinds attack.

In the SolarWinds attack, hackers inserted malware into a service that provided software updates for SolarWinds Orion platform, which is a suite of products used across a wide swath of organizations from the manufacturing industry to the government and other key sectors, to monitor the health of their IT networks.

Remote Security
“The other big challenge with securing pipeline SCADA networks is that they branch into every facility along hundreds of miles of pipeline,” Cusimano said. “Some of those facilities are in very remote places with little to no physical security meaning that if an attacker breached the security of one of those facilities they could gain access to the network. Finally, SCADA networks rely on extensive use of wireless communications (e.g. microwave, satellite and cellular). Breaching the wireless signals or stealing a cellular modem from a remote site could give an attacker access to the entire SCADA network.”

While the details are not known about the Colonial attack right now, the company did say they suffered from a ransomware attack.

“Ransomware has been a favored attack vector of cybercriminals because of its effectiveness and return-on-investment,” Edwards said. “That’s precisely why bad actors have recently set their sights on critical infrastructure. Shutting down operational technology (OT) environments can cost hundreds of millions of dollars which forces providers to outweigh the costs.”

Ransomware attacks, or cyberattacks in general, on critical infrastructure are not new. They have been ongoing for years, but it ends up being how well prepared and how resilient the victim is to these types of attacks.

While an answer to these types of attacks may be to just disconnect from the network and operate with an air gap. However, in this day of connectivity, Industry 4.0, or digitalization that is not going to happen. Owner/operators see way too many benefits from connectivity. That means companies need to understand an attack is imminent and they need to stay on top of their games at all times. The idea of resiliency was popular for a while a few years back, and then went away, but in the end, everyone has to understand they could fall victim to this kind of attack at and they need to be resilient enough to keep moving forward while fending off the attack.

While that may be easier said than done, there are companies out there following those best practices.

Similar Ransomware Attacks
“Now to break the hard news to everybody: The past five years of my involvement with responding to cyberattacks on critical infrastructure was not the Hollywood Spy-themed script people would love to hear,” Chowdhury said. “But, the worst attacks I’ve seen on OT – ICS/SCADA environment resulted from the same ransomware that targets your grandmother. In the pipeline world, as complicated as control systems are, they are typically being controlled by engineering workstations running HMI tools like ezXOS (Telvent now a Schneider Electric company) on a Windows operating system.

“The majority of the SCADA networks for pipeline operators I’ve assessed are air gap networks (no connection to the Internet or corporate enterprise network). Imagine the technician of a pipeline operator who needs to update a server, firmware, pull/push data on an ‘air gapped’ network. The technician will a majority of the time, use a USB drive to put files he or she needs, then plug that USB into an engineering workstation that can open/close/monitor pipeline valves.

“What happens when the USB drive they use has ransomware on it, and they plug it into a Windows computer with no anti-virus, nor is the operating system locked to reduce cyber risks? The machine gets infected, and it will propagate/infect other Windows machines on the same air-gapped network. Now you have a pipeline operator who is operating blindly and requires running their operations in a manual mode.

“To make the matter worse technological resiliency is not always a priority for them, so they lack the adequate backup needed to restore operations quickly. Large companies spend money on protecting their IT assets from cyberattacks but hardly spend on protecting their ‘crown jewels’ that help operate their pipeline infrastructure. I’m surprised that it took this long for a major incident to happen for a pipeline operator.

“Do not be surprised if the Federal government start putting pressure on the pipeline operator to improve their cybersecurity posture. Two groups that have the power to do this would be the Office of Pipeline Safety (U.S. Department of Transportation) and DHS’ TSA (Yes, the same people that pat you down at the airport have a role in securing the Nation’s pipeline systems),” Chowdhury said.

Pipeline Operations Shutdown
Colonial Pipeline said the ransomware attack Friday affected some of its information technology systems and the company moved proactively to take certain systems offline, halting pipeline operations, according to a report by The Associated Press. The company said it delivers roughly 45 percent of all fuel consumed on the East Coast.

In an earlier statement, it said it was “taking steps to understand and resolve this issue” with an eye toward returning to normal operations.

The Alpharetta, Georgia-based company transports gasoline, diesel, jet fuel and home heating oil from refineries primarily located on the Gulf Coast through pipelines running from Texas to New Jersey. Its pipeline system spans more than 5,500 miles, transporting more than 100 million gallon a day.

The company said it hired a cybersecurity firm to investigate the nature and scope of the attack and has also contacted law enforcement and federal agencies.