On May 7, the Colonial Pipeline issued a press release stating it was the victim of a cybersecurity attack involving ransomware, and that it had taken “certain systems offline to contain the threat, which has temporarily halted all pipeline operations.” By May 10, the United States Federal Bureau of Investigation confirmed the suspicion that DarkSide ransomware was responsible for compromising Colonial Pipeline’s network. DarkSide is a ransomware-as-a-service (RaaS) variant. Their business model involves selling their ransomware service for a percentage of the profits.
Though operations were not compromised, because Colonial Pipeline’s billing system was affected and customers could not be charged, the pipeline had to be halted. While cyberattacks have been on the rise in recent years, what makes this particular incident significant is that Colonial Pipeline, which runs from Texas to New Jersey, transports “approximately 45% of all fuel consumed on the East Coast,” according to their website. These include refined petroleum products such as gasoline, diesel and jet fuel.
In response, the Federal Motor Carrier Safety Administration issued an Emergency Declaration for the many affected states granting flexibility to motor carriers and drivers during the shutdown. The shutdown resulted in some flights having to use alternate fuel suppliers, gas prices elevating and panic buying of gasoline until the pipeline had been operational for several days. The pipeline restarted on May 12. While initially stating that they would not pay the ransom, it was reported that Colonial Pipeline eventually paid $4.4 million in ransom, according to The Wall Street Journal, and was able to restart operations soon afterwards.
Governmental Action
In a statement released jointly by the Cybersecurity & Infrastructure Security Agency-Federal Bureau of Intelligence (CISA-FBI) Cybersecurity Advisory, “Groups leveraging DarkSide have recently been targeting organizations across various critical infrastructure (CI) sectors, including manufacturing, legal, insurance, health care and energy.” In 2021, the Internet Crime Complaint Center (IC3) reported a 69% increase in total complaints of criminal cyber activity. Business email compromise (BEC) schemes were the costliest, phishing scams remained at large and reports of ransomware incidents are shown to have risen as well.
The White House released a statement saying that “the FBI recently released a FLASH alert for critical infrastructure owners and operators with indicators of compromise and mitigation measures if infected.” In addition, the White House said, “The administration is working to help private sector companies like Colonial enhance their cybersecurity through the Industrial Control Systems Cybersecurity initiative, a collaborative effort between the Department of Energy (DOE), CISA, and the electricity industry to strengthen cybersecurity standards.”
An Expert Opinion
Damon Small, the technical director of security consulting at NCC Group North America, recently discussed the cyberthreat landscape in the oil and gas industry with BPN.
Significance of the Colonial Pipeline Incident
Small explained that “the reason why we are getting so much attention on this incident is because these sorts of attacks unfortunately have happened often, but they typically impact an organization and maybe its customers — a smaller number of customers.”
Unlike these incidents of cybercrime, the attack on the Colonial Pipeline “impacted the entire Eastern Seaboard of the United States.” Because this incident had economic consequences that were very public, it has helped expose the same vulnerabilities that many other companies in the oil and gas industry face.
Vulnerabilities and Challenges in Oil and Gas
Some of the greatest vulnerabilities the industry faces are similar to what the rest of the business world is dealing with and include “out-of-date software, operating systems that need to be upgraded [and] configuration issues caused by human error,” Small said. Unique to oil and gas are “the highly specialized devices themselves which can be difficult to upgrade,” he said.
“The life span of the equipment is much greater and availability of maintenance windows is much less in the OT (operational technology) setting,” Small continued, which makes it that much harder to protect such information assets.
What Companies Can Do to Mitigate Risk
Small suggests that the very first thing a company should do is to make sure it has backups. In the case of Colonial, while the company paid the ransom, when recovering their data using the decryption tool provided by DarkSide, they found that it updated very slowly. Colonial, instead, restored everything using their own backup. Small also suggests having a broader business continuity plan in place, shoring up vulnerability management programs and using multi-factor authentication.
A low-tech option that Small suggests is running a table-top exercise with a third-party consultancy. This is a thought experiment in which relevant members of an organizations (such as IT, marketing, and legal teams) meet with the consultant who proposes a scenario and helps a company plan their response were a cyberattack to occur.
This exercise can address the specific needs of an individual company and pinpoint vulnerabilities in policies, procedures and team efficacy to help improve cyberthreat preparedness. “Once it happens, we don’t have the benefit of thinking through what you can do,” Small said.
For the long term, Small suggests making cybersecurity a core competency of one’s company and also partnering with a third party, which may be costly, but proves worthwhile compared to the cost of operational downtime and the loss of revenue and reputation that may result from a cyberattack.