On May 7, the taps turned off. After learning it was the victim of a ransomware attack perpetrated by Russia-based hackers, Colonial Pipeline made the decision to suspend both IT and operational technology operations as security teams worked to quantify the damage and restore affected systems.
The six-day shutdown shows significant concerns around the defensive capabilities of industries within America’s critical infrastructure. Even now, experts are working to understand what happened. Here’s what they know about the attack so far and what companies can do to bolster their InfoSec efforts — before it’s too late.
Unpacking the Colonial Pipeline Attack
A ransom note on control-room computers kickstarted the Colonial compromise. Delivered by the hacking group called DarkSide, the note demanded payment of 75 bitcoins — worth approximately $4.4 million — for the decryption key that would get systems back up and running. After shutting down all systems, CEO Joseph Blount authorized the ransomware payout, noting that while he didn’t like it, “it was the right thing to do for the country.”
LEARN MORE: What do utilities need to know about the continuing evolution of industrial control systems?
As noted by Dustin Brewer, senior director of emerging technology and innovation at ISACA, however, little else is known about the mechanics of the attack. “While we know Colonial Pipeline was hit by a ransomware attack, the exact vector is unknown until triage happens later,” he says.
According to Brewer, “the attack likely targeted the IT side of the house, but Colonial shut down all systems and operations to isolate the attack, and the CEO made a snap decision to pay the ransom.” He notes that bitcoin tracking by blockchain analytics firm Elliptic found that the digital wallet used by DarkSide was emptied after the attack — in all, the wallet contained nearly $90 million worth of bitcoin.
While this suggests the account tied to the wallet itself may have been retired, Brewer says that “it’s probably not the last we’ve heard of them. Malicious actors are starting to use blockchain for payment.”
Understanding the Disconnect Between Security and Threats
Despite DarkSide’s disruption of critical U.S. infrastructure, the group claims it had no intention of causing a potential catastrophe. “They made a statement that their goal was to make money, not cause problems,” says Brewer, “and now plan to properly ‘vet’ their clients.” In other words, the attackers wanted cash, not carnage.
So, what went wrong? According to Brewer, “they underestimated the reactionary posture of corporate cybersecurity: When something goes wrong, just unplug everything.” This speaks to a significant disconnect between current security postures and actual threat vectors. In the aftermath of the attack, Colonial announced the development of a security and information governance team to address cyber and physical risks at scale — which suggests that these capabilities were underdeveloped when the attack occurred.
Colonial certainly isn’t alone in this regard. Many companies look to close digital doors after attackers have walked in and made themselves comfortable; the critical nature of Colonial’s operations, however, thrust its response into the public eye.
Uniting InfoSec Efforts Within an Organization
For Brewer, it’s not all bad news. “Thanks to the attack, Colonial Pipeline is like a household term now. Not everyone will understand the ins and outs, but people have general awareness.” Brewer hopes that this awareness will spur action to unite InfoSec efforts across corporate silos, and suggests three strategies to help improve incident response efforts.
- Train like you fight, fight like you train. Cyberattacks are stressful, but regular and rigorous training helps teams respond quickly and effectively to threats. “Instead of having a reactionary posture,” says Brewer, “have a preventative posture. Use techniques such as penetration tests and tabletop exercises. Run through these scenarios to prevent overreaction.”
- Get the right people in the room. Brewer puts it simply: “You have to talk about everything that could happen. You need to consider all different scenarios.” This means getting the right people in the room — from security experts to operations managers and frontline IT staff — to evaluate what’s happening and create a triage strategy. For Brewer, taking even 30 or 45 minutes for this discussion can help improve defensive posture and limit overall damage.
- Create a cybersecurity culture. For Brewer, cybersecurity is inherently human. “We’re trying to change human behavior,” he says. “People are going to open emails and click links. That’s what they were designed to do. It’s all about psychology. Everyone is a vector. How do we make sure we’re training people to understand that and protect the company?” Consistent cybersecurity culture is critical to achieving this goal.
The Colonial Pipeline attack makes it clear: Current cybersecurity practices aren’t keeping pace with attacker efforts. To help reduce the risk of operational disruption and costly bitcoin payouts, security leaders need IT strategies that deliver defense in depth and help cultivate a culture of proactive protection.