For many people, the recent ransomware attack on the Colonial Pipeline, a major supplier of petroleum products to the Eastern U.S., demonstrated the serious damage that these kinds of attacks can do.
In many past ransomware attacks, individual companies may have lost data, if they didn’t pay the ransom, but the greater public was largely immune to the effects. In some cases, customer data may have been compromised, some people would have had to change their passwords, and victim companies may have taken a financial loss, but that was the extent of the impact.
The attack on Colonial Pipeline, however, has shown the potential real-world effects of attacks on critical infrastructure. Even though the pipeline was shut down for less than a week, many gas stations in the Southeast U.S. ran out of fuel. Customers were panic buying gasoline, and in a few cases, actual fistfights broke out at gas stations.
Attacks on critical infrastructure can cause a lot of damage. Some such attacks could result in industrial control systems going offline and potentially injuring people. This previous winter in Texas highlighted the impact of power grid failure, with millions finding themselves without power and resulting in at least 70 deaths. A coordinated attack by cybercriminals could have an even bigger impact. Combine this with the recent cyberattack on the water treatment plant in Florida and the potential for human casualties if attacks against critical infrastructure go unchecked becomes crystal clear.
Digitization and profit-seeking
The Colonial Pipeline attack happened at the intersection of two trends. The first is the digitization of industrial monitoring and control systems, using software and hardware falling under the umbrella term, “operational technology (OT).”
The pipeline attack highlights the ever more interconnected nature of IT systems and OT networks. The same connectivity that gives organizations access to telemetry, safety, and productivity data also provides a vector for cyberattacks.
It appears that Colonial Pipeline was able to stop the spread of the malware before it hit their OT systems, but the company will need to monitor its OT network for suspicious activity in case there is still malware hiding somewhere in their network. Industrial organizations are becoming a major target for cybercriminals, with 22 percent of all attacks in 2020 against industrial targets, according to the latest Global Threat Intelligence Report.
The second trend is the growing realization among cybercriminals that ransomware can result in a quick payoff. Instead of long-term malware campaigns where hackers may have to sell customer data to a third party after months of mucking around in a corporate network, a successful ransomware attack can pay off in a matter of days.
In addition, some ransomware threat actors are double-dipping when they extort money from victims. First, they are encrypting the data and requiring a ransom to return access to the data to the victim. Then, they are also keeping a copy of the data and requiring victims to pay them to delete it.
At the same time, we’re seeing the democratization of ransomware, where developers of the malware make it available to a wide group of “customers,” otherwise known as RaaS (ransomware-as-a-service).
How to respond
Colonial Pipeline appears to have taken the correct action by shutting down the pipeline and limiting the damage, but organizations operating critical infrastructure can do more to pump up their cybersecurity efforts and with threat actors innovating, automating, and scaling, there has never been a more urgent time to do it.
Reaction speed is extremely critical in an attack like this, and many companies are turning to Extended Detection and Response (XDR), a software-as-a-service based detection and response tool that integrates several security products. XDR can be used to monitor assets for breaches and immediately respond by isolating the infected host.
Colonial Pipeline isolated the IT network from the OT network to prevent spread, but with XDR the company could have also isolated the infected host from the rest of the IT network, stopping the breach dead in its tracks. Managed Detection and Response (a combination of managed EDR and advanced threat detection) are also good models to consider.
Now more than ever, organizations need actionable intelligence when they face ransomware and other attacks. They need to know who is attacking them and what tools the attackers are using. That kind of intelligence can come from tools like XDR, or from cybersecurity partners that have a wide view of attacks across the globe. This intelligence helps organizations classify the behavior of attacks and change their environments so to protect against modern advanced threats. Had Colonial Pipeline had in place a proactive defense model in place, the actionable intelligence would have alerted them sooner and they would have been able to reduce the breach exposure time (the time from when the breach happens to the time it is discovered).
When organizations take proactive and immediate response measures, the adversaries understand that their tools and their behaviors are not working and they must change their methods. This disrupts the entire ecosystem of malware developers and affiliates and puts them on the defensive.
This attack highlights the interconnected nature of IT resources and OT networks. Organizations must take an all-encompassing view when securing IT and OT networks to protect against threats like the ones making the headlines today.
Bruce Snell, VP of Security Strategy and Transformation, NTT Security