What Happened and Why It Matters
On Saturday, May 8th, Colonial Pipeline confirmed that its information technology (IT) systems were compromised by a ransomware attack. As a precaution, Colonial temporarily halted operational technology (OT) functions across four of its mainlines that transport gasoline, diesel, and jet fuel, stretching from Texas to New Jersey. This is not the first cyber-attack on a gas pipeline, and the Colonial Pipeline has experienced previous interruptions for non-cyber reasons. That said, this shutdown affects a pipeline that supplies approximately 45% of the gasoline and diesel fuel used on the U.S. East Coast.
- Colonial’s CEO cautioned state officials on May 10 to be ready for possible fuel shortages, although the company also expected to resume full service by the coming weekend.
- The U.S. Department of Transportation’s Federal Motor Carrier Safety Administration issued a temporary hours of service exemption to create more flexibility for truckers transporting gasoline, diesel, jet fuel and other refined petroleum products to the affected areas.
In addition, reports indicate that the attackers stole more that 100GB of data prior to encrypting Colonial’s network. This event is consistent with recent ransomware trends targeting and crippling critical infrastructure (CI) while also exfiltrating sensitive data (known as “double extortion”).
The Federal Bureau of Investigation has confirmed that DarkSide ransomware is responsible for the compromise of Colonial networks. In a public statement DarkSide claimed, "We are apolitical, we do not participate in geopolitics. Our goal is to make money and not creating problems for society.”
The Larger Picture...
- Ransomware attacks on industrial systems are increasing in frequency and severity. Over the past year, there has been an observed rise in ransomware attacks on industrial systems like energy infrastructure and manufacturing plants. These attacks have not necessarily infected operational networks, but victims, like Colonial, have been compelled to suspend operations as a precautionary measure.
While the disruption to the US gasoline fuel supply chain was apparent, some commentators have suggested that the impact of a natural gas supply chain attack could be far more severe. Natural gas, which will account for over a third of total US electricity generation this year, is often delivered on a “just-in-time” basis to power plants.
- Lifeline critical infrastructure sectors are experiencing increasingly disruptive cyber attacks. In just the past few months, authorities have uncovered attempts by bad actors to tamper with public water supplies in Oldsmar, Florida, and in Ellsworth County, Kansas. In both instances, attackers illegally leveraged remote access capabilities in an attempt to alter the balance of chemicals used to treat public drinking water – changes that could poison or kill thousands of people.
What to Do About It: Defending Against Ransomware Attacks
While the adversary tactics for the Colonial incident have not been released, defenders can apply the following guidelines and best practices to address risks from ransomware and other disruptive cyber threats:
- Technical guidance resources. Our industrial cybersecurity partner Dragos has released these Operational Technology recommendations in relation to the Colonial attack.
- Threat modeling, ATT&CK and zero-trust. More generally, The Chertoff Group recommends that security practitioners should apply security controls based on anticipated adversary behavior and an assumption that a breach is inevitable or has likely already occurred. By understanding the anatomy of recent ransomware attacks and associated tactics, techniques and procedures (TTPs), defenders can ensure risk-based countermeasures are in place. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage.
Security planning should also reflect zero trust principles that eliminate implicit trust in any network node or access point and consistently limit access to only what is required. This model is particularly relevant to critical infrastructure providers where threat actors may seek to achieve initial entry to the enterprise environment in order to compromise the operational network.
- Validating control effectiveness. Critical infrastructure owners & operators must validate that defensive countermeasures are operating as intended. As more details emerge from the Colonial attack, defenders should ensure existing security controls are effective against identified TTPs. Likewise, security teams can use testing tools based on the ATT&CK framework to measure control performance with added precision, instilling greater confidence that controls are operating effectively.
Guidance from multiple public and commercial sector sources—including from CISA, U.S. Department of Justice, FBI, MITRE and other sources—track and analyze ransomware attacks. These resources provide valuable context and tactical mitigations and detection analytics for organizations to employ in attempting to thwart ransomware campaigns.
- Building Cybersecurity Provisions into Infrastructure Bill. On March 31st, the White House released the American Jobs Plan, a sweeping $2 trillion spending proposal designed to revitalize the country’s aging infrastructure and manufacturing sector. Despite the White House’s assurances that cybersecurity would be a priority for any projects receiving funding, the plan does not explicitly reference cyber initiatives – or forecast cyber security requirements. The Colonial Pipeline compromise puts the absence of cybersecurity provisions into sharper relief as critical infrastructure owner/operators struggle to defend against disruptive cyber attacks. While many of the plan’s modernization initiatives will likely carry safety and security benefits, proposed projects like internet-connected machinery and autonomous vehicles can create additional cybersecurity risk Policymakers and critical infrastructure industries should include additional provisions for hardening vulnerable assets, building security into new projects and enhancing response and resilience capabilities. The U.S. government and industry need to work together to address this threat.
- Regulatory action. While the Federal Energy Regulatory Commission (FERC) enforces cybersecurity rules for the electric grid, the Transportation Security Administration oversees pipeline cybersecurity through voluntary standards. Following the attack on Colonial, FERC’s Chair Richard Glick and Commissioner Allison Clements have called for mandatory and enforceable directives for the pipeline sub-sector. Given the criticality of the country’s pipelines and increasingly sophisticated cyber threats, heightened pressures for mandatory pipeline cybersecurity standards can be expected.
- Pending Cybersecurity Executive Order. While the Colonial incident appears unrelated to the recent SolarWinds compromise, it underscores broader cyber risks around vital supply chains. The Colonial incident may thus also shape a pending Executive Order to strengthen cybersecurity for federal agencies and critical infrastructure. The Executive Order is expected to lay the groundwork for more stringent breach notification requirements and software security standards for Federal contractors. As critical infrastructure operators implement more software-enabled automation, they will also likely be subject to heightened application security expectations.
- Civilian-military cooperation. As the Colonial attack demonstrates, ransomware campaigns can result in disruptive impacts to national critical infrastructure and public safety. In these circumstances, policymakers can look beyond traditional response options and consider invoking authorities and capabilities that can more meaningfully support ransomware deterrence and response. The U.S. Department of Defense (DoD) Joint Doctrine is in place to address such contingencies. In close coordination with DHS and other relevant agencies, the doctrine contemplates the use of Defensive Cyberspace Operations-Response Actions (DCO-RA) to leverage DoD cyber forces to defend non-DoD cyberspace segments, like national critical infrastructure.
While this authority provides supporting doctrine for U.S. Cyber Mission Forces (CMF) support, to our knowledge, this capability has rarely if ever been exercised. With the appropriate relationships in place with critical infrastructure, NMTs could be in a position to execute their DCO-RA missions and provide an effective deterrent as well as response and remediation support to victims.
The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact email@example.com for more information.