Let Colonial Pipeline fuel our fight back

The ransomware attack that shut down the entire network of US fuel pipeline operator Colonial Pipeline has been described as one of the most disruptive digital ransom operations ever reported. Within 24 hours, the BI had confirmed that a relatively new ransomware group, known as DarkSide, was responsible.

The network is the source of nearly half of the US East Coast’s fuel supply. In total, the shutdown affected 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. According to Pankaj Thareja, cyber security consultant at FM Global, it demonstrated how disruptive an attack on critical infrastructure can be.

“It’s a message to all businesses everywhere that cyber risk is a huge threat and they need to build a resilient business.”

”In the case of the Colonial Pipeline attack, what’s clear is that an organisation of this size has extreme levels of connectivity – be it for gaining business efficiencies or employees, contractors, vendors, OEMs, connecting remotely ensuring business operations – any one of these could create potential entry points for threat actors if not managed effectively.”

Fix vulnerabilities

Attacks on critical infrastructure are more likely than others to impact supply chains, causing more widespread disruption due to the dependency of organisations and individuals on those services. Moreover, aging US energy and power infrastructure makes it particularly vulnerable to exploitation.

“Think of a power generation company – if they’re impacted by a cyber attack, the implications could be huge,” says Thareja. “You’re talking about blackouts, disruptions to hospitals, transportation, almost any business. It’s the same with the pipeline – it has the potential to affect an entire nation and economy.”

“The primary thing businesses need to think about – and which I hope the Colonial Pipeline incident will drive home – is that organisations need to find vulnerabilities in their environment before hackers do. That’s fundamental to building a resilient business.”

“That means assessing risk proactively through risk assessment, penetration testing, vulnerability assessments – addressing identified vulnerabilities regularly and mitigating them. Also, make sure that everyone knows that security is their responsibility. There’s no point discovering vulnerabilities and not acting on them at a business level. There’s no point creating plans at a high level if then those on the ground don’t follow the rules.”

Preparedness involves looking at what alternatives or resources are at your disposal, says Fusion Risk Management’s principal solutions manager, third-party risk management, Brooke Cooper. “Single points of failure can and will happen. We must reƝect on them and imagine how to do things differently. What are the alternatives and the costs? Then document, plan and test.”

“The necessity of testing and executing plans has been highlighted by recent events, including the global chip shortage, the Suez incident and now the shutdown by The Colonial Pipeline Company. While they show the fragility of delivery systems, they also prove which companies are the most forward-thinking and prepared.”

Attacks are rife

A failure as big as that of Colonial Pipeline demonstrates a “wilful ignorance to take cyber security seriously”.

This is according to ABI Research’s digital security research director Michela Menting. “The fact that ransomware shut down most of their operations, both information and operational technology, means that their security posture must have been poor at best.”

Ransomware attacks have become more targeted in recent years, with ransom demands tailored to the size and turnover of an organisation. Average ransomware recovery costs for businesses more than doubled in the past year, rising from $761,106 in 2020 to ʏ1.85m in 2021, according to research by Sophos.

Former Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs says the threat has been exacerbated due to the fact that ransomwareis fast becoming a “global pandemic”. After Colonial Pipeline, he tweeted: “Every CEO should convene the senior leader team and review security, incident response plan and business continuity plan.”

CISA noted the attack “underscored the threat that ransomware poses to organisations regardless of size or sector”, adding: “We encourage every organisation to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”

However, there is little to suggest critical infrastructure will be more targeted by ransomware gangs going forward. The DarkSide group was quick to state it had not anticipated how disruptive its attack on Colonial would be, saying in a statement: “We are apolitical, we do not participate in geopolitics… our goal is to make money, not create problems for society.”

ABI Research’s Menting says: “Ransomware is such a profitable market that it has become highly competitive, with sophisticated gangs going after bigger and bigger targets. However, there is still a fine line for the types of companies organised crime is willing to go after.”

To pay or not to pay

The apparent willingness of organisations, and their insurers, to pay ransom requests in order to avoid extensive network outages and the threat of double extortion (with systems encrypted and sensitive data also released on the dark web) is, however, compounding the broader issue of ransomware as a threat to business activities. Colonial Pipeline CEO Joseph Blount revealed the company had paid $4.4m in Bitcoin for a key to unlock its files.

Payment of ransoms has become an increasingly contentious area for industry, government and the cyber insurance sector. Cyber insurance rates have hardened substantially (on a steeper trajectory than many other lines of business within commercial insurance) and some carriers have tightened terms and conditions in order to reduce their potential exposure – for instance, introducing co-insurance measures or sharing a defined portion of claims.

However, ransomware gangs may have already sent out a warning shot. In May, Asian branches of A A were attacked – a week after the insurance giant said it would be dropping reimbursement for ransomware extortion payments when underwriting its cyber product in France. Cybercriminals using Avaddon ransomware said, in a post on the dark web, that they had stolen 3TB of data, including details of medical records and claims.

AXA says that there is no evidence that data was accessed beyond that of Inter Partner Assistance Asia, a partner assistance company in Thailand. The company has deployed a task force, with third-party forensic experts, to determine the full scope of the incident.

While the insurance company was widely praised for its original stance, these attacks have been interpreted by some security experts as hackers sending a message to insurance companies determined to take a harder line against them. The war is on.