In the infosecurity world, this was the 5 a.m. phone call that many feared, but few were prepared to handle.
In the early hours of May 7, 2021, a Colonial Pipeline worker discovered a ransom note inside the company’s IT systems. Threat actors linked to the DarkSide ransomware organization had gained access to an outdated VPN account.
The compromise, leveraged to encrypt data on the company’s systems, left Colonial’s massive operational technology (OT) network, including a 5,500 mile pipeline, at risk of remote takeover.
For days, millions of Americans on the East Coast, from small business owners to commercial truckers, faced lines at the gas pump not seen in the U.S. since the '70s. Gas prices shot up, consumers began to hoard dwindling supplies and numerous fuel stations shuttered as Colonial, the largest U.S. refined oil supplier, held secret negotiations to regain access to its computer systems.
“Colonial Pipeline is the most consequential cyberattack on U.S. energy infrastructure to date,” said Mark Plemmons, senior director of threat intelligence at Dragos.
The impact of the attack went well beyond the cybersecurity community, and garnered the attention of the general public and corporate boardroom officials, according to Plemmons. The attack helped lead to a greater focus on security involving industrial control systems (ICS) and operational technology at all levels.
Private industry and government agencies alike have placed an increased focus on ICS security, prioritizing sector resilience and sharing intelligence, in an effort to prepare government officials and infrastructure providers for when the next major cyberattack hits.
"Colonial Pipeline was a galvanizing event for the country," Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency, said during a virtual forum on May 5 sponsored by the Advanced Technology Academic Research Center (ATARC). “Raising awareness about the potential threats and risks for cyberattack. It’s not just ones and zeros inside of computers. These attacks could have real implications for our way of life.”
What flowed from the Colonial Pipeline attack is the realization in Congress and the critical infrastructure community that cyberattacks must be taken more seriously. Cybersecurity risk is no longer just a problem to be addressed inside network operations centers or CISO offices, Wales said.
Critical infrastructure providers in the U.S. are facing a series of evolving threats on a never-before-seen scale. Since the launch of the Ukraine war in February, advanced persistent threat actors have developed custom malware designed to sabotage or even destroy critical infrastructure facilities. Criminal ransomware gangs too have proven on multiple occasions they can hold major manufacturing companies and essential services hostage using double extortion techniques and targeted attacks.
This, coupled with the pivot to the remote operations of the nation's critical infrastructure — a change made amid the onset of COVID-19 — has increased dependence on automation and artificial intelligence. It adds new, digital access points to critical systems.
“Many operating technologies – things like pumps and pipelines and turbines – that used to be analog or isolated, are now digitized and networked with IT systems,” said Leo Simonovich, VP and global head of industrial cyber at Siemens Energy.
Digital devices enable remote operations, as well as greater efficiencies and lower emissions, according to Simonovich. However, digitalization exposes a lot more infrastructure to cyberattacks.
Siemens conducted a study with the Ponemon Institute in October 2019, months before the international COVID-19 outbreak, showing utility companies were increasingly vulnerable to cyberattack. The global survey of 1,726 utility professionals responsible for OT cybersecurity showed 54% of them expected an attack within a 12-month period.
More than half reported a shutdown or operational data loss each year.
Energy is one 16 critical infrastructure sectors the U.S. government is working to secure, each a mission-critical facet of daily life that, if disrupted, could wreak havoc. The Department of Energy (DOE) has a partnership program with energy manufacturers called Cyber Testing for Resilient Industrial Control Systems to identify and triage software and hardware vulnerabilities.
Officials in the energy industry have been concerned about the growing threats to pipelines and other oil and gas infrastructure, particularly due to the threat environment stemming from Russia's invasion of Ukraine.
“Cybersecurity is a top priority of the natural gas and oil industry and we are committed to the safe operations of our nation’s critical infrastructure - like pipelines,” said Suzanne Lemieux, director of operations security and emergency response policy at the American Petroleum Institute.
The organization has been working closely with federal partner agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, National Security Agency, and DOE, to ensure member companies are protected from malicious cyber activity.
Pipeline security has been a lingering concern for several years, but it was not adequately addressed by existing government oversight. A 2019 threat assessment from the Office of the Director of National Intelligence identified China as having the ability to disrupt natural gas pipelines for up to several weeks. A 2021 CISA and the FBI advisory cited a Chinese spearphishing and intrusion campaign from 2011-2013, resulting in 13 confirmed compromises against natural gas operators.
The Transportation Security Administration issued a directive in May 2021 ordering pipeline operators to report any potential cyberattacks to CISA and have an onsite cybersecurity coordinator available. A second directive in July 2021 called for pipeline operators to mitigate vulnerabilities and boost resilience as well as develop contingency plans.
Some administration proposals, including TSA pipeline cyber directives, have received significant pushback from key industry officials and congressional figures as overly burdensome.
“The federal government’s issuance of security directives problematically redirected cyber resources away from security and towards compliance,” Kimberly Denbow, managing director, Security and Operations Cybersecurity Action Plan at the American Gas Association, said via email. “They offered minimal opportunity for operator engagement, have overly prescriptive requirements on pipeline systems that are expansively diverse, and have compliance based entirely on [an] arbitrary timeline.”
Earlier this month, the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) announced plans to levy up to $1 million in penalties against Colonial Pipeline related to multiple control room violations.
PHMSA officials told Cybersecurity Dive the violations listed for Colonial Pipeline were “not exclusive to one operator.” And while the agency continues to respond to noncompliance issues it also “conducts outreach to increase awareness and help the pipeline industry prepare for and safely respond to any future cyberattacks,” the agency said in an email.
Colonial Pipeline has taken steps to reform its internal procedures in the wake of the attack. The company hired Adam Tice, a veteran cybersecurity leader as its first-ever CISO. It has also been working to fill its internal cybersecurity staff with additional hires.
The company said it is working closely with government and industry partners to share lessons learned and to collaborate against future threats.
“This attack on our nation’s critical infrastructure was felt far and wide and served as a reminder to all that cyber threats are real and we must continue to rigorously protect our critical infrastructure,” a Colonial spokesperson said.
Despite potential fines, government officials have largely praised Colonial for working with law enforcement and other agencies to help recover more than half the $4.4 million ransom payment from the DarkSide ransomware organization.
FBI Director Christopher Wray, during a speech before the Detroit Economic Club, cited Colonial’s outreach during the DarkSide attack for helping it recover the bitcoin funding through a court-approved clawback operation.
Colonial immediately called the FBI’s Atlanta field office, according to Wray, and the Atlanta office knew the FBI had a six month investigation underway against DarkSide already.
“Within hours of their initial report, we were pushing Colonial relevant technical information, along with remediation tactics, techniques and procedures,” he said.
The FBI worked with CISA and the DOE to bring their resources into the equation, while the FBI’s San Francisco office identified a compromised VPN account as the intrusion vector, Wray recalled.
“Because Colonial reached out so quickly, we were also able to identify and seize the virtual currency wallet belonging to the hackers,” Wray said, according to a transcript of his prepared remarks.