Colonial Pipeline Cyberattack: What Security Pros Need to Know


Major US pipeline operator Colonial Pipeline is investigating and responding to a ransomware attack on its IT network that ultimately disrupted its pipeline operations late last week, putting a spotlight on how the industrial sector remains vulnerable to growing cyberattacks that could have far-reaching consequences.

The company’s pipeline system runs 5,500 miles between Houston, Texas, and northern New Jersey, transporting millions of gallons of fuel each day. On May 7, Colonial Pipeline learned it was the victim of a cyberattack later determined to be ransomware. The FBI has since confirmed
the Darkside ransomware group is responsible, though the investigation is ongoing.

Learning of the attack prompted Colonial to take certain systems offline, temporarily halting all pipeline operations and affecting some of its IT systems. By May 9, its mainlines were still offline but some smaller lateral lines between terminals and delivery points were operational. A new update published to Colonial’s website today says its operations team has launched a plan involving an “incremental process” that will enable the company to fully restore its service.

The attack, which reportedly
involved the theft of nearly 100GB of Colonial’s data, prompted the US government to issue an emergency waiver that allows for greater flexibility and faster transportation of oil and fuel to the states where fuel supply may be disrupted by the attack.

Ransomware is an increasingly common threat with potential to cause widespread damage as it hits industrial environments – and this is the prime example. While ransomware was confined to Colonial’s IT network, its industrial operations were forced to shut down as a direct result.

“Almost every industrial organization relies on IT systems for a huge range of operational requirements, from billing to pricing to supply chain management,” says John Livingston, CEO of Verve Industrial. “The line of demarcation isn’t at some physical point … when we think of protecting ‘operations’ we need to consider the systems that if compromised, would impact operations.”

This is a situation in which the disruption to the industrial environments was a byproduct of the attack – not a direct target of the attack itself, adds Sergio Caltagirone, vice president of threat intelligence at Dragos. Even so, he adds, the impact of this ransomware attack is “dramatic [and] underscores the fundamental vulnerability we all have in industrial operations.”

Industrial Sector Targets

The industrial sector is an appealing target for many reasons, chief of which is the pressure to stay operational, says Sean Nikkel, senior cyber threat intelligence analyst at Digital Shadows.

“There’s potentially an incredible return on investment from enterprises in the industrial sectors, specifically those involved with energy and petroleum, who need the availability and would likely be more apt to pay to not lose services or regain access quickly,” Nikkel says. Further, secondary effects of an attack may cause physical damage companies want to avoid.

Within the industrial space, however, are some areas that are more vulnerable. Pipeline security is “far behind” the security of other energy sectors, such as upstream and downstream oil and gas, and electric utilities. A common gap in the pipeline industry is lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks, which connect the pipeline control center to terminals, pumping stations, remote isolation valves, and tank farms along the pipeline, explains John Cusimano, vice president of aeCyberSolutions.

“These are very large networks covering extensive distances, but they are typically ‘flat’ from a network segmentation standpoint,” he explains. “This means that once someone gains access to the SCADA network, they have access to every device on the network.” While pipeline SCADA networks are usually separated from IT networks by firewalls, those pass some data between networks. These one-way pathways through the firewall could be handy to attackers, he adds.

There are, of course, several challenges to securing pipelines. Geography is a big factor: Along the thousands of miles of pipeline are networks that must connect to every pump station and valve. The many assets involved in building these networks makes them hard to secure, he says.

And then there is the regulatory gap. While refineries and companies receiving refined products are highly regulated, pipelines don’t receive the same. They are regulated; however, not to the same extent. The Department of Transportation regulates integrity of the pipelines themselves, and the Transportation Security Administration also provides regulation. However, these are more like guidelines, Cusimano says, and pipelines are not subject to mandatory regulation.

The security gaps in the industrial sector are “wide and deep,” Livingston says. For years, cyberattacks have targeted information and confidentiality; now, attackers are pivoting to focus on availability and reliability. This changes the type of targets they prefer to go after. Early last year, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) warned of ransomware targeting pipeline operations and offered mitigations against future attacks.

“On the critical infrastructure side, it’s really important that we put more emphasis on making the industrial side more resilient to cyberattacks,” says Caltagirone. “Right now, it really isn’t.”

The Lowdown on DarkSide

DarkSide, the ransomware-as-a-service operation believed to be behind Colonial Pipeline attack, first emerged on the ransomware scene last summer. Researchers noted the group shared some of the same methods as DoppelPaymer, Sodinokibi, Maze, NetWalker, and other well-known ransomware groups; for example, it operates as an affiliate model, so other groups can buy from, and work with, DarkSide to use and develop their malware. They also use the increasingly common “double extortion” method of stealing data and threatening to leak it.

Its attackers have a “highly targeted approach” to choosing victims, Digital Shadows researchers note in a report on the threat. While they claim to avoid critical and vulnerable entities such as schools, hospitals, non-profits, or governments, Nikkel notes that an attack on a company like Colonial Pipeline is not out of character: industrial sector targets have previously been the most attacked by DarkSide, telemetry shows.

DarkSide attackers do their research. They often choose targets and determine a ransom based on the company’s revenue, and customize the ransomware executable to each company.

The group attempts to establish trust between their victims, and other attackers involved, with professional communication methods – for example, they post press releases to communicate their latest operations or threaten victims. One such press release, published today, offers an interesting follow-on to the attack on Colonial Pipeline.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” the group wrote on its website. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

Some experts speculate this attack was a mistake by DarkSide or one of its partners that could lead to repercussions for the cybercrime group. “This is going to be a really interesting balance-of-risk exercise for them,” says Caltagirone, noting this action could put the group on government lists and potentially affect its partnerships with other criminal groups. “If you draw too much heat, all of your support network is going to pull away from you,” he adds.

Protecting OT

The first thing organizations should do is identify and assess what their assets are, as all as the risks so they can compile a profile and plan for how to address them, Cusimano says. Putting together a roadmap can help security teams determine which assets should be addressed first.

“What are the vulnerabilities and the gaps that are creating the greatest risk for them?” he notes.

One crucial gap to address is the one between operations and IT teams, Cusimano adds. The responsibility for cybersecurity can be vague, especially in organizations like Colonial Pipeline, where operations are so critical. IT often has the capabilities but no jurisdiction in operations.

Caltagirone strongly advises companies to assess the vulnerability of their industrial operations as they pertain to other networks. They need to “immediately recognize” if they would ever have to shut down or protect industrial operations because of an attack on another network or asset they rely on, he explains. When things are done in silos, industrial operators don’t realize the implications of attacks on other networks.

The most common attacks from these groups often involve phishing or exploits of vulnerable server infrastructure, says Nikkel, noting that awareness training and strong security practices can go a long way in defense. Keeping servers and Internet-facing network infrastructure patched and updated can help mitigate the risk from DarkSide and similar attack groups.

Companies’ biggest security gaps often lie in the foundational elements, Livingston says. This includes patching, quality backups, configuration hardening, and managed segmentation – “not just on paper, but closely monitored so that you know what the rules and architecture actually [are] today,” he adds.