An Analysis: The Colonial Pipeline Breach

On May 6, 2021, US fuel pipeline giant Colonial Pipeline suffered a ransomware attack.

The company was forced to shut down some 5,500 miles of pipeline, causing long lines at gas stations due to distribution problems and panic-buying, draining supplies at thousands of gas stations across the Southeast.

According to the FBI, a Russia-based group called Darkside, was responsible for the attack. Hackers acquired and threatened to leak hundreds of gigabytes of data in a double extortion scheme. The company was forced to suspend operations to prevent the malicious software from spreading.

This Colonial Pipeline malware infection has highlighted a massive vulnerability in the country's critical infrastructure, which has been target to an increasing number of cyberattacks.

There has been an exponential upward trend in ransomware since COVID-19. Globally, the rate of cyberattacks to date in 2021 has increased twofold when compared to the same period in 2020. Cybercriminals have changed strategies as workers have shifted to accessing corporate networks remotely, providing fertile ground for potential cybersecurity gaps and lapses. Access management issues and challenges with unsavvy remote workers making simple mistakes, such as enabling macros in CSV files received from “known” external vendors or clients, has created easy points of access for hackers. Just a month ago, CNA Insurance had to shut down their systems to curtail the impact from an attack when hackers emailed files containing malware to access cyber insurance policyholder data. CNA did not say whether the company determined if policyholder data was compromised.

Risk Model Estimates

Although the FBI has historically cautioned ransomware victims against paying hackers, Colonial Pipeline paid a ransom of approximately $5 million USD to regain access to the “corporate jewels.”

Why did a powerful corporation with $3.1 billion worth in assets pay these unknown hackers? Let's weigh in:

  1. Major Immediate impact. The hackers held Colonial Pipeline files hostage to leverage difficult-to-trace cryptocurrency. Within mere hours of the attack, Colonial Pipeline was under immense pressure to get gasoline and jet fuel flowing again.
  2. Critical corporate data was on the line. It is estimated that due to the quantity and type of data involved, if leaked, the direct cyber incident losses would be a multi-million-dollar matter- from public exposure, reputational damage, and loss of competitive advantage.
  3. Downstream impact and downturn in logistics. Just hours after the hack, many states saw long lines at gas stations as consumers began to panic-buy, leading to a spike in gas prices and stations running dry. The pipeline saw a 5-day pause in operations. If continued much longer, dramatic supply chain issues costing billions of dollars would have resulted, with drivers unable to access gasoline and critical transportation.

What other options did Colonial have? Call their bluff or build a more resilient system.

Perhaps Colonial Pipeline could have followed suit with Atlanta, Georgia in the 2018 GoldenEye attack. The city was threatened by hackers who had crippled municipal computers, demanding around $52,000 in Bitcoin to release the devices. The city lost years of critical data including legal documents, police dashcam video, and was forced to conduct business on paper for days after the attack. Atlanta refused to pay and instead, chose to upgrade and secure their outdated networks, costing an estimated $9.5 million. However, one could argue that Atlanta did not carry the weight of a company that provides gasoline to the entire East Coast.

Government Regulation

This ransomware attack exposes vulnerabilities that exist in our critical infrastructure and shows that companies are less likely to take cybersecurity seriously without regulation, even in a high-risk environment. Regulation of the private energy sector has been a contentious topic for some time. Currently, private companies that carry the load of critical infrastructure are not required to report when they have been targeted by cybercriminals. Security gaps exist in private sub-industries leaving us all vulnerable. Lack of proper security practices within an organization leaves major security loopholes that can be exploited. These companies have a serious responsibility to the public to take network security seriously.

What can companies do to build resilience? In the face of no regulation, what guidelines or controls could Colonial Pipeline have implemented to protect itself?

Building Cyber Resilience

A resilient cybersecurity platform is essential for any business, large or small. Wise protection begins with a cybersecurity program that involves identifying enterprise assets, risks, threats, and vulnerabilities. A securely designed system to safeguard and continuously monitor identified assets and risks is key, including regular education of end-users to ensure specific protocols are followed to minimize risk.

Lumos Technology Services: The Cybersecurity Experts

For over 16 years, Lumos Technology Services has been helping corporate clients create and enhance their cybersecurity programs. Over the years, we have performed risk assessments, security gap analyses, and have implemented security solutions to meet the needs of various industries. Our services include Security Design and Architecture, Managed Services, Incident Management, Cloud Services, and Backup & Disaster Recovery.