The Colonial Pipeline Breach

This past weekend yet another devastating ransomware attack was disclosed – this one by Colonial Pipeline, the nation’s largest refinery that transports an estimated 2.5M barrels of gasoline daily from Texas to ports across the Eastern Seaboard. As of this writing, it was announced that the Colonial Pipeline restarted on May 12 at approximately 5 p.m. ET. They expect it to take several days for the product delivery supply chain to return to normal.

No one in the cybersecurity industry should be surprised that a major pipeline has been successfully penetrated – it was only a matter of time. In fact, in the book Brittle Power: Energy Strategy for National Security published two decades ago, the authors specifically outlined the vulnerable state of the Colonial Pipeline:

“Should the Colonial Pipeline not operate, replacing its product flow would require the equivalent of more than two hundred World War II T-2 tankers … on a continuous thirteen-day round-trip shuttle between Galveston and New York. This is approximately the whole U.S. coastal tanker capacity, and enough to cause a monumental traffic jam in the ports. And this would substitute for the delivery of refined products by just one major pipeline: it would not even provide a drop of crude oil for the isolated East Coast refineries.”

To help make sense of this latest attack and what it might portend over the long term, we asked Jason Garbis, Appgate’s Sr. Vice President of Products and author of the recently published Zero Trust Security: An Enterprise Guide, to break it down.

I thought critical infrastructure providers such as Colonial had “air-gapped” systems that kept their operational technologies (OT) fully segregated from their IT systems – do we know which systems were impacted by this attack?

Colonial hasn’t disclosed too many details about the attack beyond the fact that it was perpetrated by the DarkSide gang. That said, the security for these systems isn’t as straightforward as it might appear. While OT systems themselves are typically designed to be air-gapped (i.e., industrial controllers, SCADA systems, etc.), the applications used for monitoring the system for diagnostics, such as flow and leak detection, are often connected to IT networks over wide area networks or across public links that—at best—rely on VPN software to securely connect. And as we have discussed extensively, VPNs are hardly bullet proof.

And because many industrial controllers don’t have a GUI, developers will often use their own PCs to program and update the control systems. While these PCs are typically running virus scanning software, they are never totally secure – especially if the malware in question has not been seen in the wild before. Thus, there are plenty of opportunities for a new or modified piece of ransomware to “jump the gap” or to force organizations to shut down their OT networks due to an IT system infection, which is apparently the case with Colonial.

And that’s what people need to appreciate. Even if a piece of malware doesn't jump the gap and just cripples something like the billing or inventory system, the result is the same: they have to shut down the entire system until they can track what is being pumped through the system.

How is it that despite all the warnings about the many potential vulnerabilities of critical infrastructure systems, this can still happen? Are these companies just not investing enough in their security or does it go deeper than that?

I think there are several different factors at work here. For one, it’s difficult to articulate just how complex these systems have become. You have layers and layers of disparate legacy technologies that have been stitched together over decades. From the pipelines to the controllers that regulate all the various systems to the software used to program it – much of which was written in ancient languages such as COBOL. It’s like one of those giant rubber band balls that becomes so intertwined it’s impossible to unwind. And, many of these industrial control systems are only compatible with older operating systems – they cannot be updated or upgraded.

Of course, the criminal organizations behind these attacks understand this, which is why they are actively targeting these organizations. Cybercriminals recognize that if they can successfully compromise an organization’s networks to cripple operations, they will have an enormous financial incentive to leverage. Therefore, despite guidance by the FBI, companies are sometimes willing to quietly fork over hefty payments to extortionists, as a successful attack will have a devastating impact on upstream and downstream companies, not to mention potentially millions of customers.

There’s also a pervasive yet unspoken sentiment that many of these companies beholden to stockholders seem to abide by: that it can appear to be easier and cheaper to clean up a mess after the fact than it is to continually invest in upfront preparedness. If nothing else, hopefully the scale and impact of these attacks will challenge this calculus. More importantly, security leaders need to explain how a modern security architecture can make the firm more resilient to attacks and increase business agility.

Are totally air-gapped systems even a realistic strategy in today’s hyperconnected world?

The Department of Homeland Security has designated 16 different sectors as being “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” However, that doesn’t mean they are alike. The requirement to air-gap OT systems in a nuclear facility is going to be far more rigid – from a regulatory and an operational perspective – than in other sectors.

So, in industries like oil and gas and energy, you’re going to see exceptions and shortcuts implemented. For instance, they might no longer have the budget to staff a control station on a 24x7 basis and will allow their operators to connect remotely during off-hours. And from there it becomes a very slippery slope. There is a balancing act to be made between regulatory requirements and oversight and the cost and effort required to comply. But as these attacks show, purely profit-driven priorities do not necessarily give us the results we need for these types of critical infrastructure firms.

How could a Zero Trust framework limit the scope and damage of this type of attack?

To be clear, Zero Trust is not a silver-bullet solution. It won’t stop someone from clicking on a malicious phishing link nor will it prevent the locking of data if an adversary reaches the target. However, Zero Trust does make it significantly more difficult to reach the target by strengthening and simplifying access controls, which hardens and segments in a fine-grained manner. And it reduces the “blast radius” of an attack, so having one user’s device bricked by ransomware is no big deal if it can’t spread across the network.

What Zero Trust can deliver is a network that’s highly segmented, based on identity-centric and device-aware access controls. A Zero Trust system will grant users only the minimum access necessary, based on their job role, identity and device context. It can even adapt to the status of the network ... for example by locking down access if it detects an attack is underway. The end result is that IT and OT networks are more secure, while users and systems remain fully productive. And the organization can more easily enforce modern security principles, such as single sign-on and MFA for users and micro-segmentation for servers.

How big of a problem is this for the oil and gas industry in general and what might other critical infrastructure businesses take away from this?

First, we must recognize this isn’t the first time in recent years that the oil and gas industry has been attacked and it won’t be the last. In February 2020, a ransomware attack from a spearphishing campaign took down a major U.S. natural gas facility. Overall, ransomware is on the rise, increasing 62% since 2019, because unfortunately it’s effective. WannaCry and NotPetya made ransomware infamous and attacks are increasing. The repercussions for victims are significant, including revenue loss, business disruption, reputational damage, the cost of remediation and of course, additional scrutiny from the federal government. Christopher Krebs, former top DHS cyber official said, “To put it simply, we are on the cusp of a global digital pandemic driven by greed,” referring to the monetary opportunities many adversarial groups have when deploying ransomware. However, beyond greed from hacker groups this illuminates a bigger threat when discussing the potential for adversarial nation states to impact critical infrastructure.

On May 12, President Biden signed an Executive Order aimed at improving the nation’s cybersecurity. The modernization strategy calls out the implicit need for a Zero Trust security architecture with some aggressive timelines for implementation. This is a critical step toward standardizing – and dramatically improving – the way governments and enterprises deal with cyberthreats.

The reality is that our world runs on software and we have to re-think what might be a too-narrow definition of “critical infrastructure.” The good news is that Zero Trust is a proven security architecture and every organization can quickly benefit from adopting its principles.

Additional resources:

• Free Copy of Jasons' Book: Zero Trust: An Enterprise Guide
• e-Book: Zero Trust Network Access: Everything You Need to Know
• Demo: Attend a Weekly Live Demo, Take a Guided Tour or Watch Demo Videos