The obvious question on the minds of cybersecurity professionals is how the Colonial Pipeline ransomware attack could happen to such a large and sophisticated company. To provide insight into this catastrophe, ABI Research turned to its Digital Security Research Director Michela Menting with some pressing questions about this stunning breach. Perhaps the most significant statement made by Ms. Menting will give every company a wakeup call: “Any company (especially one with upwards of $500 million in annual revenues) that is not prepared for such attacks has clearly been purposefully skimping on basic cybersecurity tools, training, and strategy.”
Question 1: In simple terms, what was the exact nature of the hack?
It was a ransomware attack. In general, this means a threat actor infiltrated corporate IT systems and installed some malware, which encrypts data and systems. As a result, these systems become unusable without a decryption key. The threat actor then offers to deliver the key only in exchange for a ransom payment.
In the case of the Colonial Pipeline attack, the threat actor is a group known as DarkSide. The group utilizes an additional tactic that involves stealing a copy of the data before encrypting the original. This puts additional pressure on the company, as DarkSide threatens to release the data publicly unless the ransom payment is received.
Question 2: What was the primary infrastructure weakness that enabled entry? Was there more than one critical entry point?
The primary infrastructure weakness is unknown at this point as Colonial Pipeline has not revealed any information pertaining to how the threat actors got in. Typically, however, such groups use a mix of social engineering, such as phishing emails, and vulnerabilities of remote access mechanisms, to get in and then privilege escalation (e.g., gaining elevated access to restricted resources) and lateral movements (e.g., using one system to access other systems in order to move deeper into the network) inside the infrastructure to identify weaknesses and assets.
Question 3: What should have been in place to prevent the hack, or to make it more difficult/less successful?
This is also unknown since no information has been shared yet. However, the fact that ransomware shut down most of their operations, both IT and OT, means that their security posture must have been poor at best.
Ransomware is neither new nor revolutionary. The fact that there is a sophisticated, organized cybercriminal market for ransomware shouldn’t be news for anyone in the industry. On the contrary, it is a longstanding, experienced, and mature black market. Any company (especially one with upwards of $500 million in annual revenues) that is not prepared for such attacks has clearly been purposefully skimping on basic cybersecurity tools, training, and strategy.
Question 4: This hack is a harbinger of cyberthreats to come. Do you have one or two solutions/recommendations that are critical for companies/governments/utility authorities to implement to prevent hacks like this from happening again?
Attacks like this have been happening since the dawn of the first virus and will continue to happen indefinitely. Cybercrime is as lucrative as the IT industry itself. For companies that take these threats seriously, there are a great many resources available, including guidelines, standards, regulations, best practices, technologies, architectures, strategies, and information sharing processes. These tools are available at the public, private, and international levels, and the U.S., where the attack took place, is among the leaders in the cybersecurity space. Therefore, a failure as big as that of Colonial Pipeline simply shows an obvious willful ignorance to take cybersecurity seriously, to their unfortunate detriment.
Expanding connectivity in both IT and OT will mean continuously increased threat vectors. The key is to understand that even the best cybersecurity solutions will not, and cannot, always guarantee absolute protection for all assets. Consequently, organizations large and small should always be prepared for an eventual attack, which means architecting their infrastructure so that it can continue to operate despite an ongoing attack while simultaneously recognizing and dealing with the threat. This is not an easy feat, but there are concepts such as zero-trust security and cyber-resiliency which can aid in creating such a posture.
Question 5: Do you think this hack will speed IoT security efforts in the U.S. or globally? ABI has forecasted that cybersecurity spending for critical infrastructure will grow to reach US$106 billion in 2021. Should it be more?
Many in the industry expected attacks against critical infrastructure of this nature and breadth to have been launched by nation states. However, despite global geopolitical tensions, most of the big powers have abstained from such large, public-facing, debilitating attacks against one another, as they could be considered acts of war. As such, and despite the dangers, cybersecurity efforts have been sporadic, fragmented, and half-hearted in critical infrastructure, leaving many gaping holes in security postures.
Unsurprisingly, the organized cybercriminal market has stepped in to pick the low-hanging fruit, but ransomware is such a profitable market that it has become highly competitive, with sophisticated ransomware gangs going after bigger and bigger targets. However, there is still a fine line for the types of companies organized crime is willing to go after. The closer these groups get to undermining critical infrastructure, the more dangerous they become to national security and the greater the risk of serious repercussions from concerned governments.
Additionally, these repercussions may not just come from the victim country, but also potentially from their host nation, especially when this country might be Russia or China. To that end, while there is no conclusive evidence that most of these groups are state sponsored, there is clearly an implicit understanding between the gangs and their home countries that allow them to conduct their illicit operations with impunity. If these gangs start to cause too much trouble from a national security perspective and create problems for their host nations, reprisals back home may be likely.
It is clear DarkSide is conscious of such consequences, as evidenced by their recent half-apologetic press release and their efforts to distance themselves from any political motivation some may want to infer about their attack. Nonetheless, it may be that, in this instance, they may have gone after too big a fish, however poorly secured Colonial Pipeline seems to have been. Hopefully, however, it will give large corporations a push to revise and strengthen their cybersecurity strategies, especially those in critical infrastructure, and show them – yet again – that they are not exempt from common cyberattacks.