Colonial Pipeline hack is latest example of cybersecurity threats to physical infrastructure

Colonial Pipeline Co., which operates 5,500 miles of pipeline that delivers 45% of gas and jet fuel to the East Coast of the U.S., was shut down on May 7 by an organization now identified as the ransomware group DarkSide.

DarkSide has issued statements since the attack noting that it is an apolitical group with a goal “to make money, and not creating problems for society.” It follows the ransomware-as-a-service (RaaS) business model.

“Ransomware is hugely profitable,” said Nadya Bliss, executive director of the Global Security Initiative at Arizona State University. “Considering the amount of money involved, It’s not surprising that some groups would establish a business model selling ransomware as a service.

“The trend has escalated as technology development and adoption have outpaced policies and regulations, which contributes to cyber vulnerability,” she said.

According to Homeland Security adviser Elizabeth Sherwood-Randall, the hackers broke into networks devoted to the company’s business operations but did not reach the computers that control the physical infrastructure that transports gasoline and other fuel.

Colonial shut down the network as a precautionary measure and has called in external cybersecurity experts to ensure the hack is not dangerous to the overall network.

According to Sherwood-Randall, “Our nation’s critical infrastructure is largely owned and operated by private sector companies.”

On Wednesday, May 12, the White House issued a new executive order that aims to improve U.S. cybersecurity.

“We’re finding ourselves more frequently in an interesting space — the intersection of federal and private jurisdictions where security regulations may be different,” said Bliss. “At a national level, we’re still trying to figure out what policies make sense in the context of cybersecurity.”

Prior to the Colonial hack, the Biden administration had already launched an initiative to improve the cybersecurity of critical infrastructure, focused on high-priority collaboration with private sector partners to harden defenses, according to Sherwood-Randall.

But the broader perspective, according to Bliss, is that domains that don’t typically see themselves in the computer science space — schools, hospitals, utility companies and, in this case, pipelines — are becoming increasingly at risk from outside attacks.

“Some of these entities don’t have in-house security staff trained to assess and thwart risks,” Bliss said. “The need to have dedicated cybersecurity protocols has become increasingly important as more sophisticated versions of software-based attacks are developed.”

Bliss shared some insights about who is vulnerable to ransomware and ways to protect data from attack.

Question: What is ransomware?

Answer: Ransomware is a type of malicious software that encrypts the data on your hard drive and prevents access until the responsible hackers are paid to release your data. It’s like putting it behind a lock – and you can’t unlock it until you pay the fee. In some cases, the hackers not only lock your data, they threaten to make sensitive information publicly available.

Common targets have been schools and health care providers. For example, hospitals can’t access medical records unless they pay the ransom. Because this data is critical to their operation, they are motivated to pay the fee.

Q: Who is most vulnerable to these attacks?

A: First, everyone is vulnerable to some extent, because of the human factor. Cybersecurity is not only about having the most up-to-date technology, it’s about making sure people understand the risks and practice good cyber hygiene, like avoiding clicking on phishing emails and setting strong passwords.

With that said, older systems that don’t update regularly are particularly vulnerable to ransomware attacks.

Q: How can businesses and municipalities protect themselves?

A: Engage in good cyber hygiene:

  • Back up your data regularly on a separate system that is not connected to the internet. This will give you access to your critical data if your systems are unavailable due to encryption or other attack.
  • Adopt a proactive security profile — don’t assume you won’t be hacked. If you leave the door open, at some point someone will come in. And, the more enticing your house is, the more attractive you are as a target.
  • Update your software on a regular basis — software companies are monitoring for vulnerabilities and providing patches and updates that secure against threats as they become known. When the software no longer offers updates, it’s likely time to reconsider the platforms you are using.
  • Recognize cybersecurity as a cost of doing business. Skimping on it may end up costing you much more in the long run.
  • Don’t click on downloads you aren’t expecting or that aren’t from a reliable source. Doing so can end up subjecting your entire system to malware.
  • Seek out support and resources from experts. During the COVID-19 pandemic, for example, the American Hospital Association and the Department of Homeland Security partnered to protect hospitals from malicious activity.
  • Take advantage of resources from trusted sources like the Cybersecurity and Infrastructure Security Agency, which, among other things, provides extensive ransomware guidance and resources and generally tracks vulnerabilities.

Q: With much of America’s critical infrastructure managed by private companies, what can the U.S. federal government do to improve security?

A: Improved policies and regulations can help set basic standards for cybersecurity of critical infrastructure. For example:

  • Create a national information gathering and sharing mechanism that will enable all components of the country’s infrastructure ecosystem — whether in the public or private sector — to get real-time updates of the latest threats and suggested security measures.
  • Incentivize adoption of cutting-edge research into practice.
  • Standardize educational resources and training for local governments and companies.
  • Provide educational resources and training to local governments and companies.
  • Work closely with international partners to better understand the evolving threat landscape. Cyber doesn’t care about physical borders between countries. It’s important that these attacks are tracked broadly and that we share information on a global level.
Terry Grant
tvgrant1@asu.edu