Take Five: Discussing the Colonial Pipeline Hack with Keysight’s VP of Security Solutions
In the wake of the recent Colonial Pipeline hack, I sat down with Scott Register, Keysight’s Vice President, Security Solutions, to discuss the attack and what it means for utilities and other infrastructure providers around the world.
Ransomware has been around a long time. What’s going on?
Scott: Ransomware is one of the most frequent and lucrative cyberattacks – which typically begins with a successful phishing scam. In addition to cash-rich corporations and financial institutions, Ransomware victims include hospitals, schools, universities, local governments, and police departments, as well as utility companies. And, borrowing a page from the blackmailer’s playbook, some criminals even threaten to publicly release the organization’s most sensitive data unless they pay up, typically in cryptocurrency. Some are even moving away from encrypting data altogether and going straight to release (or sale).
You don’t have to look very far for evidence of just how widespread cybercrime has become. In fact, many of us don’t even have to look beyond our own inboxes or headlines. And sadly, as we’ve learned, the situation is getting worse. It is now bad enough that in April, a bipartisan group of lawmakers proposed forming a “Civilian Cybersecurity Reserve” to create a surge capacity of cyber expertise, patterned after the National Guard, to respond to incidents affecting government networks.
This new attack on Colonial Pipeline is different. What happened? Who did it?
The May 7 ransomware attack on Colonial Pipeline largely shut down the largest refined products pipeline system in the U.S. There’s a lot of evidence that the hackers, confirmed by the FBI to be a group called DarkSide, are Russian. One of the clues is that their malware deactivates if it finds itself on a computer with the default language set to Russian. This is a common tactic, as hacking groups tend to operate on a spectrum from tacit approval to active support from the Russian government on the agreement that they do not conduct activities inside Russia or Russian-aligned countries. In practice, its often hard to draw a firm line between formal GRU activities and other Russian hacker groups, as the efforts of both are typically welcomed by the Kremlin.
One of the most interesting aspects of this attack is that DarkSide may have overreached. As per their public statement, their aims were economic rather than political (it’s also demonstrative of their sense of security when a cybercrime group issues a press release). True or not, the intense focus on a Russian attack which has real economic consequences in the US was probably not the Kremlin’s goal. Historically, the DarkSide group conducts two-pronged ransomware attacks against victims with deep pockets – they both steal data and encrypt it. They’ll offer to unlock encrypted data for ransom, and if the ransom isn’t met they’ll release data or information about the attack to competitors or unscrupulous stock traders who can short the victims’ stock before the breach becomes public.
These type of infrastructure attacks aren’t new. Do we know what happened?
There have been well-publicized cyberattacks against critical infrastructure before, from the attacks Russia launched against Georgia in 2008 to Stuxnet, to the recent (unsophisticated) attack against the water treatment facility in Oldsmar, FL. Ransomware attacks are nothing new, having been a staple of security headlines for at least half a decade. But many of the previous attacks were bespoke attacks against industrial control systems, where the attackers went in with a specific plan to disable those Operational Technology (OT) systems and often used specific tools for doing so.
By contrast, the Colonial Pipeline attack seems to have been a traditional ransomware attack directed against mainstream IT systems, but it had the downstream effect of forcing Colonial to turn off its pipeline systems to prevent further spread. Industrial control systems are often distributed and unmanned, so the cost appeal of enabling remote, networked administration is high. As IT and traditionally standalone OT systems become increasingly comingled, it becomes critical to take a holistic approach to protecting the entire realm of an organization’s digital assets rather than treating them as separate, independent entities – or assuming that one of them is somehow “safe” because it’s different.
So, what do we do now?
As Colonial Pipeline learned the hard way, it’s no longer appropriate to think of OT systems as isolated, secure via obscurity, or unlinked from IT systems. Careful control of all network access points, network segmentation, and comprehensive network visibility with appropriate IT- and OT-monitoring tools can’t be delayed. Over the past few years, many IT organizations have embraced “hack yourself” approaches such as red Teaming, penetration testing, and breach and attack simulation, but the scope of these exercises was often restricted to corporate email, web, and other mainstream systems. SOC teams are often staffed and equipped to monitor attacks against those systems.
*We must now expand our security efforts to include not only OT-specific visibility tools, but also friendly hacking attempts at the OT systems themselves, as well as thorough examination and testing of the connections between the two to guard against lateral movement and cross-contamination. The principle of “zero trust” certainly applies here. If a hacker obtains a user’s credentials via a phishing campaign originally targeting economic or intellectual property theft, do those same credentials also enable access to critical OT systems? *
The effects of an IT attack on the Colonial Pipeline are headline news because of the disruption of the energy sector, but if your company has a manufacturing line then it could just as easily have been you.