The May 7 attack that forced Colonial Pipeline Co. to halt the flow of fuel through 5,500 miles of pipeline marked the first time that millions of Americans felt a real-world impact from a cyberattack. It won’t be the last.
Even as the criminal group responsible for the attack disbands, the ongoing impact to motorists, airlines, and the logistics industry highlights a reality criminals and cybersecurity professionals have long known: America’s critical infrastructure is ill-prepared to deal with modern cyber threats.
Targeting vital industries like utilities, energy producers, and healthcare is effective for two reasons. First, the essential nature of these sectors makes it far more likely that a ransom will be paid. A coffee shop that can’t process credit cards might lose revenue; a hospital that can’t admit patients to the emergency department could cost lives. Second, despite the outsized importance of electrical grids, water systems, and power plants to the country’s economy, public and private utilities alike have some of the worst cybersecurity practices of any industry.
We don’t know exactly how criminals were able to penetrate Colonial Pipeline’s network, but the company’s track record suggests it may not have been difficult. A 2018 audit of the company described “a patchwork of poorly connected and secured systems”, along with “atrocious” management practices. The report’s author, Robert F. Smallwood, commented that “an eighth-grader could have hacked into that system.”
“I mean an eighth-grader could have hacked into that system.”
Robert F. Smallwood, whose consulting firm audited Colonial Pipeline in 2018.
Perhaps the most frightening aspect of this attack is that it apparently wasn’t intended to directly impact the sensors and industrial control systems that directly manage the pipeline’s operations – those systems were taken offline proactively as Colonial discovered the attack. In subsequent public statements, DarkSide stated their goal “…is to make money, and not creating problems for society”. While that may be true, the attack has highlighted the potential appeal of going after the infrastructure that millions of Americans rely on every day. If ransomware groups can already fetch multi-million dollar payouts going after databases and accounting systems, how much more could they demand by threatening to poison a municipality’s drinking water, de-energize major portions of the electrical grid, or shut down 911 dispatch centers?
The attack on Colonial is a watershed moment for the ransomware industry, which has grown increasingly sophisticated and daring in the last few years. Early ransomware campaigns targeted individuals, asking for $100-500 a piece to restore documents, photos and home movies. Faced with the prospect of almost half the gasoline supply to the East Coast drying up, executives at Colonial Pipeline made the decision to pay the nearly $5 million ransom within hours of the attack. In truth, it was probably a bargain.
| Major ransomware attacks since may 1 | ||
|---|---|---|
| May 1 | Scripps Health is forced to cancel surgeries, reroute ambulances, and revert to emergency operating procedures after an attack knocks most of its systems offline. The healthcare system remains heavily impacted over two weeks later. | |
| May 10 | Citizens of Tulsa, OK are unable to pay utility bills, get police reports, or contact city staff after a ransomware attack cripples all 3,500 of Tulsa’s computers. | |
| May 11 | The Babuk gang releases the personnel files of 22 Washington, DC Metropolitan police officers after the department refuses to pay the $4 million ransom. The leaked details include home addresses, spousal information, and psychological information. Babuk also threatens to release the names of confidential informants and shut down the city’s 911 dispatch center. | |
| May 14 | Ireland’s public healthcare system shuts down its entire IT infrastructure after suffering two ransomware attacks. | |
| May 17 | After allegedly disbanding, DarkSide receives a $4.4 million ransom payment from a German chemical distributor, and compromises a division of Toshiba in separate attacks. |
The average ransomware payment rose by 171% in 2020, but some of the most notorious operators have netted much larger payouts by going after “big game” targets. Last year, the thieves behind the Ryuk family of ransomware netted $34 million worth of Bitcoin in a single attack. Ireland’s national healthcare system is currently grappling with a ransomware attack demanding $20 million. Given the overall importance of the Colonial Pipeline to the U.S. economy, it seems likely that DarkSide could have demanded a much larger sum.
Operational Technology – the hardware and software that powers machinery and industrial equipment – poses unique challenges from a cybersecurity perspective. Where an average PC workstation might have an average lifespan of three years, the equipment on a factory floor or in an electrical substation may be expected to last decades. This means there are thousands of devices still in service that pre-date the Internet, and were never designed to be resilient against the kind of cyberthreats Enterprises face on a daily basis. Because of their critical nature, it may not be practical to remove these types of device from service to apply security updates or harden configurations.
Some ransomware gangs have sought to portray something of a digital robin hood image, and have promised not to target critical infrastructure because of the potentially life-threatening consequences. But similar promises were made at the beginning of the COVID-19 pandemic, only for healthcare to end up the most targeted sector of the year.
A September 2020 attack on Universal Health Services crippled over 400 hospitals for nearly three weeks and wound up costing the healthcare giant nearly $70 million in lost revenue. More recently, Scripps Health in San Diego has been forced to cancel surgeries and turn away ambulances. And in an ongoing attack, ransomware has disrupted healthcare service across all of Ireland. Other attacks have targeted organizations involved in COVID-19 vaccine development and distribution.
Its clear that the most vile threat actors will target any institution or industry, regardless of the real-world consequences.
What You Can Do
Utilities, hospitals, and government agencies that have fallen victim to recent ransomware campaigns off some striking examples of what NOT to do when it comes to cybersecurity.
At the time of its 2018 audit, Colonial Pipeline was reportedly not training its employees on common cyberthreats like phishing emails, a favorite tactic of DarkSide and one that’s already been used against other pipeline operators.
The Florida water utility that narrowly avoided hitting dangerous levels of sodium hydroxide was using a single shared password across systems that were “connected directly to the Internet without any type of firewall protection installed.”
A natural gas compression facility that was knocked offline for two days in early 2020 hadn’t adequately separated the workstations used for day-to-day computing from the assets used to control and monitor gas production.
And a September 2020 attack that led to a homicide investigation when a German hospital was forced to turn away an ambulance has been attributed to known flaws in a Citrix VPN application.
Basic cyber hygiene practices may have averted many of these attacks.
In issuing a set of best practices for averting the kind of business disruption faced by Colonial Pipeline, the US CyberSecurity and Infrastructure Security Agency (CISA) reiterated the same advice that cybersecurity professionals have long espoused: implement security awareness training for all employees, mandate the use of strong passwords and Multi-Factor Authentication (MFA), update all systems and software in a timely fashion, and maintain secure backups of all data.
While the criminal enterprises behind ransomware are growing increasingly sophisticated – some even employ professional translators, graphic designers, and customer support teams – basic cyber hygiene practices still go a long ways towards thwarting an attack.
Modern Ransomware gangs like DarkSide are becoming increasingly sophisticated, but in too many cases, we’re simply leaving the door open for them with a digital welcome mat out front. Attacks like the one that crippled Colonial Pipeline will continue – and even escalate – until companies, governments, and institutions start taking cybersecurity more seriously.