On May 7, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cyberattack, and its operators were forced to shut down their systems. The pipeline carries 2.5 million barrels of refined gasoline and jet fuel each day up the US East Coast from Texas to New York, covering 45 percent of the East Coast’s fuel supplies.
“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” reads the statement published by the FBI.
The Colonial Pipeline attack caused limited disruptions because of reduced energy demand due to the ongoing pandemic, for this reason the effect on fuel prices has been small. In the aftermath of the hack, FBI and DHS’s CISA published a joint alert to warn of ransomware attacks conducted by the Darkside group.
Darkside, the ransomware gang responsible for the attack, first emerged in the threat landscape in August 2020, and was highly active in recent months, targeting organizations worldwide. According to the report, affiliates of the ransomware-as-a-service group initially gained access to the victim's network to encrypt files on internal systems and exfiltrate data, then threaten to expose the data if Colonial Pipeline refused to pay the ransom.
The response by the US authorities
The Colonial Pipeline attack had a significant impact on the cybersecurity and critical infrastructure industries. It also affected multiple ransomware gangs, who, fearing direct repercussions from the FBI, temporarily suspended their operations.
The attack triggered an immediate response of federal authorities as well as government agencies, who promoted initiatives aimed at preventing similar incidents in the future.
Immediately after the attack on Colonial Pipeline, Darkside pointed out that it was financially motivated and that there was no political motivation behind the intrusion.
“Our goal is to make money, and not create problems for society,”reads the statement from the Darkside.
The attacks against critical infrastructure also led US President Joe Biden to sign an executive order to improve the country’s defences against cyberattacks.
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors,” reads the 34-page document.
The document aims at enhancing the level of cybersecurity defences and increasing the resilience of the federal government’s infrastructure against cyberattacks. It proposes a standardized playbook for responding to cybersecurity vulnerabilities and incidents, and urges public and private stakeholders and IT (information technology) and OT (operational technology) service providers to share information related to threats, threat actors and incidents.
How to protect critical infrastructure?
The executive order requests to federal agencies to implement Zero-Trust Architecture and multi-factor authentication, as well as adopt encryption for data at rest and in transit.
The order also focuses on the risks associated with supply-chain attacks that could be mitigated by developing guidelines, using tools, and adopting best practices to audit critical software components. The White House has also released a fact sheet related to the executive order that provides a summary of its content.
At the time of writing, the US Department of Homeland Security (DHS) has announced new cybersecurity requirements for owners and operators of critical pipelines.
The US authorities stress the importance to report any confirmed and potential cyber-related incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas.
“The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security,” reads the announcement published by the DHS.
Critical infrastructure owners and operators are now obliged to review their current practices, identify cyber-related risks, and implement remediation measures. DHS also required them to report the results to Transportation Security Administration (TSA) and CISA within 30 days.
The events described and the response of the US authorities demonstrate that critical infrastructure operators have to change their approach to cybersecurity. They need a holistic approach that is based on cyber threat intelligence, information sharing and the implementation of new regulations aimed at increasing the security of critical infrastructure.