A ransomware attack on one of America’s biggest oil pipelines, Colonial Pipeline, has led to fuel shortages up and down the East Coast of the US and a national emergency being declared. The incident highlights the vulnerability of the energy industry to such attacks, with the combination of legacy operational technology (OT) and modern digital systems often creating security flaws which can be exploited by hackers.
Colonial Pipeline shut down business on Friday after discovering it had been infiltrated by hackers from the Darkside ransomware group. The oil company carries 45% of the East Coast’s diesel, petrol and jet fuel, some 2.5 million barrels per day, and the subsequent disruption has had a massive impact on the US economy, resulting in a state of emergency being declared by President Biden on Monday. Work is still continuing to rectify the situation.
Darkside has since apologised for the disruption caused, claiming the group’s interests are purely mercenary and it has no interest in involving itself in geopolitics or aiding attacks that could cause human harm, though such a claim seems far-fetched given the nature of its target.
As reported by Tech Monitor, the threat posed by ransomware groups has grown exponentially in the past 12 months. In 2020 victims paid ransoms worth $350m in cryptocurrencies, a 311% increase over 2019, according to a ransomware threat report released last month by the Institute for Security and Technology (IST), a non-profit organisation dedicated to combatting cyberthreat. It reveals 2,400 US-based schools, healthcare facilities and government institutions have been attacked in the past year.
Cyberattacks on the energy industry are increasingly common
In the past 18 months there have been two major attacks on critical infrastructure in the US; a ransomware attack on a US natural gas pipeline operator in February 2020 and an attempt to poison the water supply in Florida after a control system was hacked through remote desktop application Team Viewer. Hackers see utility companies and their systems as low hanging fruit, says John Vestberg, CEO of cybersecurity company Clavister. “Cyber attackers see these systems as very viable targets because, unfortunately, many of the pieces of infrastructure are quite old.” This means that it is not equipped to deal with modern cyber threats, he says, and that it can present hackers with opportunities to compromise networks.
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) May 10, 2021
This type of legacy infrastructure is increasingly being brought online and connected to modern cloud-based control systems as part of digital transformation programmes, or because staff working remotely due to the Covid-19 pandemic now require access, Vestberg explains. “You have vendors of those [control] systems that start to require equipment to be connected to the cloud because otherwise you won’t get any in-service performance data and you can’t do predictive maintenance,” he says.
Protecting critical infrastructure from cyberattack
Resolving security flaws in this OT is a “transition that will take decades” Vestberg believes. And while the infrastructure is being updated it remains vulnerable, meaning that more attacks similar to the Colonial Pipeline breach are inevitable and trying to combat them on a case-by-case basis is not sustainable. “Cybersecurity is evolving so fast and it gets so complex, that any single business would have a hard time keeping up with the complexity,” Vestberg says. The magnitude of this challenge has led the IST to convene a ransomware task force made up leaders from companies like Microsoft, Palo Alto and the Global Cyber Alliance, which will aim to create a comprehensive framework of solutions and recommendations.
Alongside greater cooperation, companies should start using their online systems for good by analysing the data they produce to scan for any sign of abnormality, says Vestberg. AI systems can be deployed to analyse this data and detect abnormal behaviour. “Then you have a baseline and elevation to that baseline will tell you that there is something fishy going on,” he says.
Understanding these new attack vectors is the key to securing OT infrastructure says Elad Ben Meir, CEO of OT security company SCADAdefence: “It’s very clear that OT-IT convergence is a real danger to people’s lives,” he says. “This is due to many security concerns, including connecting OT networks to the internet which were not designed to be connected or are insecure by default,” Meir explains. “Far more than just paying a ransomware to some organised criminal group, knowing the attack surface and actively monitoring all the attack vectors into these very sensitive environments, is key to reducing these risks.”