On Thursday, May 6, Colonial Pipeline, which operates a pipeline that delivers gasoline and jet fuel to nearly 45 percent of the U.S. East Coast, fell victim to a ransomware attack. The attack took over 100 gigabytes of data hostage, causing the company to halt all pipeline operations and shut down several of its systems. The attackers, identified as a criminal gang known as DarkSide, threatened to leak proprietary information unless a ransom is paid.
Not especially sophisticated, this attack seems to be a run-of-the-mill ransomware attack like those we’ve seen in recent years, except that, instead of shutting down a school, a police department, or a small business, it has shut down a good portion of fuel delivery on the East Coast. What this highlights is that the same vulnerabilities and attack tools/techniques that seem commonplace can have devastating consequences based on the target. Clearly, critical infrastructure has to be more hardened than a small business, but we see this isn’t the case.
The attack comes just months after the SolarWinds and Microsoft breaches, which brought about a proposed executive order by President Joseph Biden to strengthen cybersecurity for federal agencies and contractors. According to The New York Times, which obtained a preliminary draft of the order, “It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government.”
But many are now wondering if the executive order is enough. Top executives from firms like Amazon, Microsoft, and Cisco are calling for an international coalition to combat ransomware. As The New York Times states, “Among the recommendations in the report by the coalition of companies is to press ransomware safe havens, like Russia, into prosecuting cybercriminals using sanctions or travel visa restrictions. It also recommends that international law enforcement team up to hold cryptocurrency exchanges liable under money-laundering and ‘know thy customer’ laws.”
Would that deter cybercriminals? And what about preventing the ability to carry out these attacks in the first place? One big issue with prevention is that we typically don’t know how the attackers get in, including in the pipeline attack. Most ransomware attacks stem from phishing, but could also stem from a different vulnerability, including one in software. One noteworthy thing about the Colonial Pipeline attack is that they were first attacked through their IT systems, but shut the OT systems down out of caution. That means they were not confident the networks were sufficiently isolated. In the future this needs to be rock solid isolation, like the compartments in a submarine.
That is why I support the idea of an NTSB-like organization for cyber, which is what the government is intending with its upcoming executive order. If a criminal group can shut down 45 percent of the East Coast fuel supply, we need to know what went wrong. Can you imagine if we never found out why an airplane crashed, or why a particular model of car kept malfunctioning? Just as safety in the travel industry is dependent on information sharing and thorough investigating, it’s becoming clear that, in our increasingly digital world, the same can be said for safety in cyberspace.