Why the Colonial Pipeline Attack Should Be a Wake-Up Call to Small Businesses
Securing a business or organization from IT threats is a continuous challenge, requiring IT security teams to continually monitor their infrastructure for incidents, quickly identify and address threats, and pinpoint and remediate emerging vulnerabilities. Despite the rising threat of cybercrime, many businesses still don’t prioritize cybersecurity. Yet, the recent Colonial Pipeline cyberattack is the latest example of what happens with an organization fails to safeguard its IT infrastructure. The company’s failure to do so illustrates the steps you must take and mistakes you must avoid to protect your business.
The Colonial Pipeline Cyberattack
Carrying oil from Houston, Texas to much of the Southeastern U.S., the Colonial Pipeline was hit by a ransomware cyberattack on Friday, May 7, 2021. The attackers, widely reported to be a Russia-based cybercrime gang known as DarkSide, encrypted a number of assets of Colonial Pipeline’s operational technology (OT) network at one of their natural gas compression facilities. As a result, Colonial Pipeline operators were no longer able to read or access operational data in real-time from many low-level OT devices. The Colonial Pipeline Company, believing the attackers might further compromise their operations, shut the pipeline down.
Subsequently, news outlets reported that DarkSide had also stolen 100 GB of data from the company. If Colonial Pipeline did not pay a ransom of 75 bitcoin (approximately $5 million), not only would assets on their OT network remain encrypted, but DarkSide would also publish the data they had stolen on the Internet. Within several hours of the attack, the company paid the ransom and, in exchange, received an extremely slow decryption tool. Colonial Pipeline was only able to begin restoring operations the evening of Wednesday, May 12, though they expected intermittent service interruptions to occur for several days afterward.
The Colonial Pipeline attack was the largest cybersecurity attack on critical U.S. infrastructure in history. Six days of downtime did a lot of damage and prompted “State of Emergency” declarations from President Biden on May 9, as well as the governors of affected states. The resulting fuel shortage not only delayed a handful of American Airlines flights. It also resulted in panic buying at filling stations in five states (including Florida), exacerbating the impact of the pipeline attack and driving up fuel prices.
IT security professionals will tell you, it’s not a matter of if you get hit by a cyberattack, but when. Initial analysis from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), industry publications, and other preliminary postmortems provide some insight into how this happened, which can help you mitigate the risk of suffering the severe outcome Colonial Pipeline Company endured.
How The Attack Occurred
According to CISA, the attack was executed through a spearphishing link, a common form of cyberattack in which attackers attempt to get a user to download malware by clicking on a link they are sent. Further, CISA noted that Colonial Pipeline did not employ robust security measures to segment its OT networks from its OT network. Failing to do so allowed the malware that employees had inadvertently introduced to their IT network to compromise the OT network as well. After the attack, the Associated Press published a story about an IT security audit of Colonial Pipeline that had taken place three years prior. The auditor, iMERGE, found significant vulnerabilities in the system, including the lack of a dedicated cybersecurity manager, employee cybersecurity awareness training, and a data loss prevention program.
While Colonial Pipeline, responding to the story, noted that it had made significant improvements since the audit, the extent of those improvements is not clear. What is clear is that glaring deficiencies remained. As per CISA, Colonial Pipeline’s emergency plan did not contain procedures for dealing with cyber incidents. As a result, response time and decision-making were impaired once the attack became evident. Further, the company indicated to the agency that it suffered gaps in knowledge about cyberattack security threat planning and response. In fact, a few weeks before the attack, Colonial Pipeline had posted a job description for a cybersecurity manager but had not yet filled the position.
Colonial Pipeline lost the $5 million they paid to DarkSide and considerable revenue during their shutdown. Given the vital role it plays in the nation’s infrastructure, it remains to be seen what the long-term revenue implications are from both the incident and its resulting reputational damage. However, the company will almost certainly face increased regulatory scrutiny — with potentially costly mandates ahead. Already, the head of the Federal Energy Regulatory Commission, Richard Glick, alongside other politicians like Florida’s own Senator Marco Rubio, have called for all oil pipelines to be subject to mandatory cybersecurity standards. The industry is currently exempt. Further, the industry already faced stagnating growth, even before the Biden administration’s call for alternative energy use. This incident may hurt any expansion efforts the company or its industry peers were planning.
Takeaways For Businesses Across Industries
No business owner or manager should believe that cybercriminals won’t target their business because of its size. On a recent Fox and Friends interview, Rubio noted, “there are plenty of businesses out there who get hit with these ransomware attacks and never report it.” Indeed, in 2020, reported cybercrimes not only rose a whopping 69 percent over 2019 levels, as per the FBI’s 2020 Internet Crime Complaint Report. Phishing tactics were used in more than a third of reported cases. More than 19,000 reported email compromise scams cost firms of all sizes (as well as individuals) $1.8 billion. This figure is separate from the 2,474 reported ransomware scams in 2020, the total losses from which are unknown.
In other words, your business, regardless of size or industry, could easily be targeted by an individual or cybercrime gang. It’s imperative that, if you don’t already, you prioritize your cybersecurity now by:
Segment and Secure Your Networks
Whether you’re operating a pipeline or not, it’s important to incorporate strong security measures across your networks to safeguard your assets. When end-users at Colonial Pipeline accessed the spearphishing link through the communications network, it spread to the OT network because the two systems were not compartmentalized.
Segment and secure key operational systems from your communications network to minimize the damage resulting from a breach of the latter.
Developing Cybersecurity Disaster and Business Continuity Plans
Too often, businesses remain mired in the outdated perspective that disasters only are physical. Colonial Pipeline failed to incorporate cyberattacks in its disaster planning and lost critical time trying to determine and then coordinate the appropriate response.
Make sure your firm’s emergency preparedness plan includes response protocols for a full range of potential cybersecurity incidents, as well as measures your firm takes to resume operations as soon as possible.
Conducting Employee Cybersecurity Awareness Training
DarkSide’s attack was successful because an employee (or several) were tricked into downloading their ransomware. While Colonial Pipeline shared with the Associated Press that they had implemented cybersecurity awareness training in the wake of the iMERGE, knowledge gaps remained as per the company’s own disclosure to CISA.
Conduct regular cybersecurity awareness training with your employees. Make sure that your training is continuously updated to incorporate new and emerging threats. Doing so is especially critical given the pandemic-induced transition to remote work for many employees. Remote work can help businesses remain operational in the face of the current public health crisis but also presents new vulnerabilities for cybercriminals to exploit.
If you want to safeguard your firm but either don’t know where to begin or don’t have the in-house expertise to get started, Palindrome Consulting can help. Moving to our managed IT services can help you safeguard your IT assets and your business. We stay on top of cybersecurity threats so that you don’t have to. Not only will you save time and money, but we’ll work tirelessly to keep your data secure, identify and address any and all attempted attacks, and help you minimize your business risk. Contact us today for a free consultation.