In one of the most disruptive cyber security incidents to take place in the United States, Georgia-based Colonial Pipeline announced late Friday that it was the victim of a cyber attack, later confirmed to be a ransomware attack. The company said it proactively took specific systems offline and halted all pipeline operations.
Colonial called in federal authorities and hired FireEye Mandiant to conduct an incident response investigation. On Sunday, the third day of its shutdown, Colonial said it was developing a system restart plan while keeping its three main oil lines offline.
The company said it would bring its "full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations."
News of Colonial's shutdown reverberated all weekend throughout the cyber security world, given how critical Colonial's pipeline business is to the nation's economic health. Colonial transports 2.5 billion barrels of oil per day to the eastern US and connects to 30 refineries and almost 300 distribution terminals. It carries gas and other fuel from Texas to the Northeast, delivering around 45 per cent of the fuel consumed on the East Coast.
The criticality of Colonial Pipeline to the national infrastructure became clear late Sunday when the Biden administration declared a state of emergency in response to the cyber attack, lifting limits on the transportation of fuels by road as fears of shortages begin to put upward pressure on oil and gas prices.
Commerce Secretary Gina Raimondo said that the President had been briefed, and it's an "all-hands-on-deck" situation to ensure the attack doesn't disrupt the US oil supply.
Multiple sources have identified the attackers as the DarkSide group, an eastern European criminal ransomware gang, although DarkSide's website does not indicate it is the attacker. DarkSide's silence suggests to many experts that it could be negotiating a ransomware payment by Colonial, which has reportedly refused to answer questions about whether it plans to pay the ransom.
Although DarkSide operates with the tacit permission of the Russian government and spares Russian, Kazakh and Ukrainian-speaking companies from its attacks, it is not technically considered a state-sponsored threat actor by most cyber security experts.
A big question remains how quickly Colonial can develop its restart plan.
"There is no simple light switch or push button to magically restart and restore operations," Marco Ayala, ICS cyber security and sector lead, 1898 & Co. (part of construction engineering firm Burns & McDonnell) and sector chief the FBI's Maritime Domain InfraGard group, tells CSO. When it comes to Colonial's operational technology or industrial control systems, "When was the last time that was ever done? They might be dusting off old three-ring binders on safe full system start-up."
Even with this and other questions yet to be answered, the Colonial attack offers a few lessons for how ICS firms should prepare for and respond to a cyber attack.
Greater visibility into OT systems could speed restart
A lack of visibility into the security status of its operational technology (OT) systems is likely what caused Colonial to shut down operations in the first place.
"The big problem here is not knowing how deep and how far and how wide the impacts are," Ayala says. "From a critical infrastructure perspective, such as pipeline, natural gas or any other operations, if you don't know how deep and how far and how wide it went, you have to start talking to your operational director. and from a board-level standpoint, talking to your security officers and your operational directors saying, 'Hey, maybe we should be shutting down because we don't know how far it went.'
"Shutting down operations is a clear sign that they have little faith in their current operating technology security system, security environment, and posture."
In a note to clients, Ayala predicts that Colonial's recovery will "be anywhere from 48 to 84 hours or more to prep for return to operations. Given the breadth of the unknowns, the discovery, containment, decontamination and remediation effort will be lengthy and will likely result in a gradual return to operations."
Marty Edwards, vice president of operational technology security at cyber security firm Tenable and the longest-serving director of ICS-CERT, agrees.
"They need to be able to have enough visibility into their environments to know how broad the impact actually is," he tells CSO. "It is often the case that critical infrastructure owners and operators simply don't have enough visibility, especially into these operating technology and industrial control system environments."
"They have the systems in place on the IT network to be able to reach into all of those laptops that are sitting on people's desks at home because of the pandemic, but they don't often have the same technology to reach into the industrial control system environments and determine their state," Edwards adds.
Better segmentation could avoid shutdowns
To help avoid a similar shutdown of their operational systems, industrial organisations should focus on better segmentation of functions and networks.
"There should be clear and proper segmentation," Ayala says. "We have to do proper architecture. We have to know how to react. The lack of demarcation or lines in the proverbial sand and segmentation are big key pieces here. The lack of segmentation and demarcation of OT from IT is our biggest threat. To make matters worse, OT and IT are so intertwined now that if [an attacker takes down IT], OT could possibly crumble."
Segmentation comes into play when hunting for infected components and isolating them as quickly as possible to speed the return to normal operations.
"You have to have that kind of real-time visibility that if something starts impacting your network operations in one geographic area, you can quickly reach into the system and find out where else you could potentially be vulnerable and segment and isolate those systems in as quick as a fashion as possible," Edwards says.
Transparency about the attack is critical
Another critical piece for organisations to consider is the governance policy surrounding ransomware events, particularly preparing for the aftermath of an attack by lining up effective communications strategies before you need them.
"I always encourage as much transparency as you can give as an organisation," Edwards says. "They should have almost pre-vetted statements, holding statements, press releases, etc., for these kinds of events so that the chief information security officer, when he or she gets the call that says, 'Boss, we have a problem,' they know already who in the organisation they have to get approval from to release the statements, what the statements are going to be, they already have on retainer their incident response companies, etc."
Industrial organisations should also have or develop prudent plans for how to manage these attacks.
"If companies have a well-tested and maintained disaster and recovery plan with good back-ups of all of these types of systems, then they can have confidence that they can isolate the incident," Edwards says. "They can shut down those environments, restore them from their backups according to their disaster recovery plans and come back up in as short of a time as possible."
Working with government is essential
Ayala gives Colonial high marks for its communication strategy and for working with the federal government. "They are working with their federal partners. They should be doing that. They should be working with the FBI, CISA and DHS."
Longer-term, the federal government should probably play a more critical role in preparing for these sorts of incidents. "We've said for a long time that it has to be a true partnership. I'm not throwing around the term partnership to mean more information-sharing programs or something. We need to have a combination of the private sector and the federal government at the table to really, really hammer out some solutions here," Edwards says.