Menu Close

Early Lessons from the Colonial Pipeline Cyber Attack

White Clay Technology
no gas

Written By: Jonathan Arena, CISSP, ITIL, CSM
President & Founder of White Clay Technology

The 1970s Gas Crunch...a ransom of another kind.

In the 1970’s there were two major gas shortages in the United States.  Both of these destabilizing events were initiated by geopolitical uncertainty.  The first was due to an embargo placed on the United States in 1973 for it’s support of Israel in the Yom Kippur War by OPEC, a cartel that controls a significant amount of global oil reserves. 

The second occurred in 1979 and was initiated by instability from the Iranian revolution. 

In both of these situation, there were lessons learned to prevent the issues from happening again including:

  • We created the Strategic Petroleum Reserve
  • We directed the oil industry to build inventories, especially of heating oil
  • We implemented gasoline price-control regulations
  • There has been a drive to higher fuel efficiency and now to vehicles that do not require gasoline
  • We have found additional ways to decrease our reliance on foreign oil, and,
  • We have identified and explored additional stateside sources of oil.  

As a result of these changes, aside from the occasional strong hurricane temporarily disrupting oil production in the Gulf of Mexico, we’ve enjoyed two generations of plentiful fuel availability at an average consumption rate of around 19,000 barrels a day over that 40 year period. 

No other organization, cartel, or country would ever be able to cause havoc on the United States by holding us hostage by our oil hungry society. The primary goal for these initiatives was to reduce the impact of future oil disruptions, and for the most part it worked…until today.

pipeline

"The primary goal for these initiatives was to reduce the impact of future oil disruptions, and for the most part it worked...until today."

Ransomware Attacks: The oil spill of cyber space

On May 7, 2021, Colonial Pipeline, the company that delivers a majority of oil to the eastern United States via a pipeline network originating in Texas, experienced a ransomware attack against their computer systems. 

By all accounts, this ransomware attack impacted their Information Technology (IT) systems, but not their Operational Technology (OT)  systems, or Industrial Control Systems (ICS) that control the pipeline operations. 

A ransomware attack works like this:

  1. A “threat actor” (aka bad guy) gains access to a protected network through one of many means.

    The most common methods of exploitation include phishing attacks, weak passwords, a cavalier approach to access restrictions, poor firewall management, or outdated (unpatched or end of life) computer systems and applications.  

  2. Once the threat actors has established a foothold inside of your network they begin to learn about what you do, where you keep your data, where you keep your backups, and how you operate your business. They want everything they can get of value to maximize their ransom.

  3. Depending on the motives of the attacker, they will sometimes begin to quietly start sending that data offsite, usually to another hacked computer that they use to store the data.  They do this as an additional incentive to pay.  Not only is there a ransom in play, but there is also a data breach to contend with.

  4. Finally, once they have obtained the information they deem of value, whether that is value to resell, or value to you as a business, they will gain access to those computer systems and encrypt the data so the only person who can access the files is them.  All you can see is a message on your screen instructing you to send payment in exchange for a decryption key, which doesn’t ever come in over half of the cases, even if you do pay.  

As a matter of precaution, Colonial Pipeline deactivated all computer systems (IT & OT) that could have been impacted, including the critical pipeline monitoring systems.  As a result, the pipeline itself had to be shut down. 

This incident has triggered a national emergency and President Biden has been briefed on the matter.  The pipeline has never had to be completely shut down since it began operation in the 1960’s.

colonialpipeline

There are a few early lessons that we can all learn from this incident:

  1. Be Prepared!  It doesn’t matter who you are, cyber attacks target ALL.  A few days ago, the majority of Americans had never heard of the Colonial Pipeline, much less had any concept of how their fuel is distributed to their part of the country.  That didn’t stop a gang of cyber crooks from discovering them.

    Your business, whether you are a critical link in the strategic supply chain for the nation, or if you sell handmade gifts, needs to take reasonable and prudent precautions to adequately prepare for a cyber attack. 

    For regulated industries such as financial institutions, there are usually compliance requirements that provide a starting point, but for small businesses there isn’t, which is why they are often the most vulnerable targets. 

    Those small businesses should consider reading Cyber Security Essentials for Small Businesses, a quick read book we published that contains cyber hygiene steps that they can take to reduce their risk of becoming a casualty of a cyber attack.

  2. Have a Plan!  In these situations it helps to have a disaster recovery plan.  Disaster recovery is about asking the question “what if”.  Once you’ve asked that question and come up with 100 scenarios, you assess those scenarios for their likelihood and impact.  This is known as risk.  The result is a ranked assessment of possible scenarios that could impact your business.

    Once you have your ranked list of risks, you work to avoid, mitigate, transfer, or accept the risk.  Sometimes this means changing a process, updating a computer, implementing a tool, or even just getting more insurance.

  3. Make Offsite Backups!  While this may seem obvious and basic, you may be shocked how many times we find clients without backups.  Offsite backups can mean the difference between paying a ransom and getting your business back up and running.  In addition to being offsite, your backups should be journaled, meaning that there is always multiple date versions of the same file, as sometimes ransomware goes off like a time bomb and can sit unnoticed for weeks or months.  Protect the data…always remember that your data is what matters when it comes to anything in technology.  Computers are replaceable.
  4. Don’t Ever Pay the Ransom!  Your goal should be to get to the point that you don’t ever have to pay a ransom.  Remember, in over half of the instances of ransomware, the ransomers never provide the decryption key.  Additionally, as mentioned in a prior blog post, paying the ransom may have legal implications if the payments are being sent to countries under embargo like North Korea and Iran, both of which are active in cyber attacks for “fundraising” purposes.
  5. Get Outside Help!  There are companies, like White Clay Technology, who can  provide you with a Technology Strategy Adviser who can identify your main risk areas, work with you to build an adequate defensive posture, introduce you to technical resources that can assist further, establish a disaster recovery plan, test it with you, and more.

Cyber security is not a one and done activity.  The threat landscape is constantly changing and the bad guys are increasingly getting smarter and more resourceful.  

For more information on White Clay Technology, please visit us at https://www.whiteclaytechnology.com

_________________________________________________________

Jonathan Arena is a recognized technology & cyber security expert. He has spent 25 years in the managed service provider segment of the IT industry serving Fortune 500 clients and small business clients alike. He is the President & Founder of White Clay Technology and RealTechPros. Jonathan is also a Technology, Cyber Security & Data Privacy professor at Wilmington University in Delaware.

Jonathan has served on multiple academic boards including the Cyber Security boards for the University of Delaware, Rutgers University and Ithaca College, as well as the Wilmington University Technology Course Advisory Board.

Jonathan is CISSP, ITIL & CSM certified and he holds a bachelor’s degree from Wilmington University. Jonathan was named a “2016 Delaware Achiever & Innovator Under 40” by the Delaware Business Times.