Here we go again. This time, it’s an oil pipeline. This time, it’s ransomware.
Security researchers, cybersecurity providers and various parts of the U.S. government keep telling us over and over, ad nauseum, that attacks on critical infrastructure are not going away. They just keep growing, as we reported barely a week ago.
So the largest U.S. fuel pipeline was forced to shut down operations this past weekend after a ransomware attack. The feds had to declare emergency powers to make sure oil gets sent where it needs to go along 5,500 miles of pipeline running through 17 states.
The regional emergency declared Sunday by the federal Department of Transportation relaxes regulations governing the transport of gasoline, diesel and jet fuel. Its goals are to minimize disruptions to local supply throughout Colonial’s service region, the eastern U.S., and avoid price hikes.
Colonial Pipeline said on Saturday it was temporarily halting operations, while revealing that its IT systems were affected by ransomware. On Sunday, it said “some smaller lateral lines between terminals and delivery points” had come back online. On Monday, in an updated statement, the company said it will be restoring operations in a phased approach and expects to resume service by the end of this week.
Industrial ransomware attacks growing
Industrial control systems (ICS) in utilities and manufacturing plants — aka critical infrastructure — are increasingly targets for cybersecurity attacks, especially ransomware. We’ve been hearing this for not only months, but years.
In December 2020, right as the SolarWinds attack was being revealed, security researchers at cybersecurity leader Dragos and IBM reported that ransomware attacks on ICS in utilities and manufacturing plants jumped an incredible 500% in the last two years.
According to a March report from Dragos, ransomware attacks in manufacturing alone tripled last year. The entire industrial sector now accounts for nearly a third of ransomware attacks, more than any other sector, and attacks on ICS are increasing in developed countries.
Ransomware attacks on industrial targets have already caused disruptions of various kinds, including usually temporary plant shutdowns. Last month, it was an unnamed European manufacturer which had to shut down two production plants. In January, packaging leader WestRock said a ransomware attack had affected both operational technology (OT) and IT systems, impacting production for a few days.
Barely a couple of weeks ago, the NSA advised owners of OT systems to, basically, disconnect them from internet-connected IT systems whenever possible, because connecting all those critical control systems just makes them vulnerable to malicious attacks. Which is true, of course. Failing that, the NSA would really appreciate it if critical infrastructure owners would at least evaluate how the risks of connecting everything stack up against the benefits, and at least use good OT cybersecurity hygiene practices.
Solutions must include tighter controls over product development
What measures can organizations take to help prevent ransomware attacks and cut their risk? The basic drill is well known by now. “The most important are onboarding powerful security tools, and adopting significant practices so you have a more mature organization,” Carl Herberger, vice president of security services for CyberSheath, told EE Times.
But leaving everything up to the companies and organizations running critical infrastructure is clearly not enough. Herberger thinks a program like the Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC) program is a good model for OT and ICS devices used in infrastructure, since it details what suppliers have to do to maintain healthy security in their products.
“It’s the last in the line of many attempts by the federal government to programmatically ensure security in the products it buys,” he said. “But CMMC only applies to products that are not also being sold in the open market today. It doesn’t give oversight for commercial off-the-shelf providers. So we’ve got two broad holes: first, companies are resistant to do what’s required under CMMC, and second, we’ve got to get COTS providers to become compliant in some similar way.”
It could be more than a possible model. Because the DoD is the largest buyer of IT services in the world, and because anyone selling to them must prove CMMC certification, opening up the program to include COTS providers would be a huge step, said Herberger. “To help defray the costs of the investment to become certified, certain companies may need some kind of cost sharing or offset, such as tax-deductible or tax-deferred status,” he said.
While administration officials reportedly met over the weekend to find out if other critical infrastructure companies might also be vulnerable to the attackers, President Biden has considered cybersecurity a top priority since before he took office.
And only two weeks before the attack on Colonial Pipeline, the Department of Justice formed the new Ransomware and Digital Extortion Task Force to address the it-feels-like-drinking-from-a-firehose ongoing attacks on U.S. critical organizations.
Meanwhile, products continue to be built without security in mind — or at least, without enough of it — and sold to private enterprises managing public infrastructure. This just can’t keep going on.
“We’ve now hit the Rubicon: after SolarWinds, the Florida water treatment plant, and now Colonial Pipeline, we’re seeing really serious threats to our national security,” said Herberger. “If everyone was on a program like CMMC and COTS environments were covered by it, we could dramatically reduce risk to OT and ICS systems in our critical infrastructure.”
I think he’s right.
The post Ransomware Shuts Down Pipeline, Affecting 17 States appeared first on EETimes.