Colonial Pipeline, the fuel pipeline operator that supplies 45% of the East Coast’s supply of diesel, gasoline, and jet fuel, was taken offline after it was impacted by a ransomware attack. This form of cyberattack, where a system is locked until the owner/operator agrees to pay the hacker(s) a ransom, has been on the rise in recent years, and a number of municipalities including Baltimore and Atlanta have fallen victim.
The problem had become so serious that in July 2019, the United States Conference of Mayors, agreed to “stand united” against paying any ransom should their respective system be targeted. The rational was that by not paying, it could lessen the likelihood of such attacks on other cities.
However, Colonial Pipeline’s executives opted to go another route and paid the alleged Russian hackers nearly $5 million. Experts have warned that was the wrong course of action, yet even if the company didn’t pay the attacks, they likely would have continued to anyway.
“Ransomware attacks will continue for the simple reason that market conditions favor them,” warned Jim Purtilo, associate professor of computer science at the University of Maryland.
“The risk of exposure is very low – digital thieves aren’t often caught much less prosecuted – and the cost of attempting an attack is even lower,” Purtilo told ClearanceJobs. “At the same time, the expected value is high. It is like buying million dollar lottery tickets for pennies; you don’t care that most of them don’t hit since any one that pays out is pure profit.”
Understanding Ransomware
As the name suggests, the practice involves gaining access to a system and/or network and then taking control of it. This can happen to an individual by accessing the wrong website or by opening an attachment on an email. It is as much a “people” issue as it is a “technical” issue.
In other words, ransomware may not require someone to crack firewalls or break through intense security. Rather, it just needs a person to make a simple mistake.
“Ransomware occurs when an individual is tricked or manipulated – what is called social engineering – to open an attachment or click on a link,” said Dr. Eric Cole, author of the upcoming book CYBER CRISIS, and former CIA hacker and cybersecurity commissioner to the Obama administration.
“When this happens their computer gets infected with malicious code whose main function is to crawl the network and find the critical servers,” Cole told ClearanceJobs via an email. “This software scans the network and installs itself on every server it can.
“It then makes an outbound connection, called a command and control channel, so the cybercriminal can activate the ransomware,” added Cole. “Based on how it works there are two main vulnerabilities associated with ransomware, users clicking on untrusted email and open networks that are not properly segmented.”
Just Say No to Paying
While Colonial Pipeline opted to pay, Cole suggested there are numerous dangers with paying. The first is that it signals the organization that you are willing to pay, and it could make you a target in the future, which would be akin to becoming a “frequent flier” with that hacking group and potential other hackers.
A more serious problem is that the problem isn’t really resolved.
“Even if an organization pays the ransom and the data is recovered, the attackers are still in your network,” warned Cole. “They can still cause harm and future damage. This means that even if you pay the ransom, you mist activity clean up and secure the environment.”
Of course, it sets a bad precedence for the industry as a whole. Now that one company has paid, cyber criminals will likely expect other companies to pay, and we could see an increase in these attacks.
Cole also noted that in the case of the Colonial Pipeline attack, it was conducted by a Russian hacker group called DarkSide, which has essentially commercialized cybercrime. Since the U.S. does not have extradition treaties with Russia, and it is not illegal to hack the U.S. in Russia, these attacks will continue with no end in sight.
Preparation is Key
The other fact to accept is that it isn’t really a matter of “if” but rather “when” a company could be targeted in such an attack. Being prepared to respond to an attack should be as important as stopping it from occurring.
“For critical infrastructure the best way to prepare for an attack is discount the operational network that controls the pipeline or critical infrastructure from the Internet,” said Cole. “These systems have known vulnerabilities and where not designed to have Internet access. Since the traditionally were isolated and only recently because of automation and Covid, where they connected to the Internet, this is an easy fix to isolate these critical networks.”
Moreover, the best practices are not as widely employed as they might be.
“This could be due to lack of awareness or a simple willingness to live dangerously – which is to say, save on infrastructure and configuration costs – while hoping not to be the low-hanging fruit for thieves,” Purtilo added. “This is a statistical game too. You save money … until you don’t. When the CEO complains ‘why are we spending so much on tech infrastructure?’ the response should be ‘open today’s paper and look at the headline – your name is not there.'”
Harden Systems, Train Employees
Beyond spending that money on tech infrastructure, there also needs to be training in place. Instead of the old adage “loose lips sink ships,” today, it could be “the wrong attachment could sink the company.”
In other words, what isn’t automatically caught by the security protocols needs to be more closely scrutinized by the users on the network. But limiting access should also be a consideration.
“To stop ransomware organizations need to properly filter out harmful emails and/or have users check email on a separate device so that if it is malicious, it is isolated to one system,” said Cole. “Organizations need to have proper network segmentation to control and minimize the damage. In the case of Colonial, the operational network that runs the pipeline should have been an isolated network with no connectivity to the Internet.