Critical Infrastructure Ransomware Attacks Escalate

The Colonial Pipeline cyberattack highlights the dangers of critical infrastructure ransomware attacks. Here are some takeaways for security operators at SMEs.

Table of Contents

A Georgia oil and gas company is among the most recent victims in a spate of critical infrastructure ransomware attacks, leading them to shut down pipelines across the Eastern Seaboard. The attack underlines the ‘real world’ threat posed by increasingly sophisticated ransomware attacks. Moreover, it begs the question “If sophisticated cyberdefense operations are falling victim to these attacks, what hope is there for security operators at SMEs?” Well, quite a bit, actually.

In 2019 I wrote about the potentially catastrophic consequences of compromised infrastructure. I singled out education, healthcare, and banking as industries that were particularly vulnerable. At the time, there was some discussion about my outlook being too doom-and-gloom. People were tired of hearing about worst-case scenarios, I was told. The years since have made my predictions seem woefully inadequate. From a $40 million attack on one of the biggest U.S. school districts, the first-ever death attributed to a cyberattack, to the Solarwinds Breach—one of the largest in history—the scale of the ransomware epidemic has been unprecedented. Few would have predicted that a state of emergency would be declared over a ransomware attack. As if to underline the implausibility of these developments, this latest breach mirrors the plot of 2007’s Live Free or Die Hard.

The attack on Colonial Pipeline followed a typical double extortion format. The attackers—revealed to be the cybercrime group DarkSide—first downloaded nearly 100 gigabytes of sensitive data. They then unleashed their ransomware attack, encrypting the network and using the sensitive data as additional leverage to extract payment. As a result, Colonial shut down the biggest U.S. gasoline pipeline out of an abundance of caution. They said the shutdown would last between one and 6 weeks, potentially impacting thousands of organizations both upstream and downstream. In the days after the attack, the price of gas rose by 4 cents a gallon, and a state of emergency was declared in order to keep supply lines running by other means. This critical infrastructure ransomware attack comes after a spate of similar breaches that included the Washington DC police department, the Illinois Attorney General’s office, and a hospital in San Diego. 

What (not) to do?

The (worst-possible) take is that if you have ransomware insurance, you don’t have to be worried about its prevention and detection. This couldn’t be further from the truth. Ransomware groups have claimed that they like to target companies with ransomware insurance since they are more likely to pay out. In fact, one ransomware group specifically targets the insurance companies first, so they can mine their customer list for targets. One of Europe’s top 5 insurance companies has announced that they would stop writing insurance policies that reimburse ransomware fees. 

A common knee-jerk reaction to critical infrastructure ransomware attacks is that critical elements should never be connected to the internet. While it’s true that systems with an ‘air-gap’ are safer, in many cases this simply is not practical. The systems and processes that run our world are increasingly connected. Operating with an ‘air gap’ becomes more difficult as these systems rely on the internet for automation and updates. The Colonial Pipeline breach serves as an example of this (for starters, their system runs the entire length of the Eastern Seaboard). It was claimed that the control of the pipeline was never affected by the breach, but that there was a risk that the breach could spread. A further claim stated that since Colonial’s accounting and billing systems were down, they chose to halt operations in fear of not being able to recoup gas that was delivered. In this way, the critical part of their operations didn’t need to be breached in order to stop operations.

Lessons for SMEs

To begin with, we’re all connected. Colonial is the largest U.S. refinery and they are connected to thousands of smaller businesses both upstream and downstream. Millions of customers stand to be affected and the longer the shutdown continues, the more its impact will spread. Weak links in cybersecurity impact far more than just individual companies.

Cybersecurity teams at massive companies with endless budgets are consistently falling victim to sophisticated cyberattacks. That might seem discouraging to practitioners at small and medium-sized enterprises. However, applying good cyberhygiene can make a big difference. The first step, to borrow the wisdom of the ancients, is ‘know thyself’. When you want to reach a destination, the most important information is not the destination’s coordinates, but rather your current coordinates. Consistently gaining visibility into the current state of your network will give you the information needed to make the right decisions and measure your progress.

While critical components of your network may warrant additional attention, exclusively focusing on them does not reduce risk. With systems being increasingly interconnected, attackers don’t need to target operational technology in order to trigger a shutdown. Maintaining visibility into all aspects of your network (including OT, IoT, cloud environments, etc.) should be a priority.

In April 2021, the White House announced plans to improve U.S. cybersecurity and improve preparedness against critical infrastructure ransomware attacks. Deputy National Strategic Advisor Anne Neuberger said “Today, we cannot trust those systems because we don’t have the visibility into those systems, and we need the visibility of those systems because of the significant consequences if they fail, or if they’re degraded.” The same advice applies to networks of all sizes. 

Gain visibility into your network’s current level of compromise by opening a Lumu Free account today.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post

RELATED POSTS

lumu and fortinet
Technical

Lumu and Fortinet Simplify Incident Response Automation

Reading Time: 2 mins As a partner in Fortinet’s Fabric-Ready Partner Program, Lumu delivers automated attack detection and response across the network. See how to integrate Lumu Defender with Fortinet’s FortiGate NGFW.