Colonial Pipeline Ransomware Attack: Lessons for Technologists

While technologists have always understood the damage that ransomware could do to an organization’s infrastructure and data, the May 2021 attack that targeted Colonial Pipeline IT infrastructure changed the game for good.

The attack, carried out by a threat group called DarkSide with alleged ties to Russia, not only served as a wake-up call to the IT and cybersecurity community charged with protecting and mitigating these incidents, but also hit the American mainstream in a significant way. This was most evident when motorists saw gas shortages at the pump throughout parts of the Southeastern U.S.

The six-day shutdown caused by the attack (not to mention the $4.4 million in Bitcoin Colonial paid as ransomto the attackers) set the stage for other major ransomware incidents that followed in the months ahead; new ransomware victims included meat producer JBS and managed service provider Kaseya. All of these seemed to strike at the heart of U.S. critical infrastructure, which now appeared vulnerable to these types of cyber threats. 

“The biggest impact of the [Colonial] attack was the disruption of fuel supply to the East Coast of the U.S.,” Mike Hamilton, a former vice chair of the Department of Homeland Security’s State, Local, Tribal, and Territorial Government Coordinating Council, recently told Dice. “It’s also the realizations that pipelines are part of the transportation sector, and the security purview is provided by the Transportation Security Agency … and the TSA had taken no steps to provide cybersecurity requirements or guidance to the operators.”

The Colonial Pipeline ransomware attacks also prompted U.S. lawmakers to demand more accountability of private companies and government agencies when they are targeted. Although it took nearly a year, Congress now seems poised to pass new legislation to force disclosures when attacks happen or a ransom is paid.

The Attack’s Effect on Technologists

While the ransomware attack that targeted Colonial Pipeline affected the company’s IT systems, specifically its billing systems, the incident raised major concerns about the operator’s systems that controlled thousands of miles of pipeline.

Ransomware rarely, if ever, affects operating technology (OT) systems, but security concerns over these overlooked parts of organizations’ infrastructure became a significant cyber issue following the Colonial attack. 

Suddenly, there were concerns about vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that help operate and maintain much of the nation’s critical infrastructure. This not only includes oil and gas, but also electrical systems, water treatment facilities and even nuclear plants.

“Code is everywhere. Cloud infrastructure and operational technology that drive the configuration and operation of our industrial control systems for utilities, water, oil and gas, chemicals and transportation are all based on code,” Pan Kamal, head of products at security firm BluBracket, told Dice. “Software-based configuration opens up vulnerabilities that hackers can exploit to perpetrate attacks.”

Hamilton, who is the founder and CISO of security firm Critical Insight, added that the ransomware attack against Colonial demonstrated how little companies understood OT security and the lack of skilled tech pros needed to protect these systems.

“Because of our dependence on OT systems and the dearth of qualified professionals and purpose-built technology for those environments, this event has helped to spur interest and federal investment in training practitioners,” Hamilton said. “Our national laboratories are developing ‘ranges’ that can be used for this training.”

This change in how government agencies and private companies view OT security has also opened up opportunities for skilled technologists who know these systems and how to identify vulnerabilities.

“Understand the roles that will be hired in OT environments and tune your skillset appropriately,” Hamilton added. “Cyber analyst is likely one of those roles, and there should be a compliance aspect to cybersecurity in critical OT environments such as pipelines, chemical manufacturing, dams, water and waste treatment now that the requirements have been communicated.”

Phil Neray, vice president of cyber defense strategy at CardinalOps, also noted that the Colonial ransomware attack showed CISOs that they lacked visibility into certain parts of their networks, especially when it comes to OT systems.

“The Colonial Pipeline attack was a wake-up call for many CISOs because it demonstrated that they had blind spots in their [security operations centers] due to lack of monitoring for their OT networks,” Neray told Dice. “It also raised visibility for other mitigations such as network segmentation, which MITRE ATT&CK categorizes as essential to preventing access to safety-critical systems such as industrial control systems.”

Making Software Secure

The ransomware attacks on Colonial Pipeline, as well as other security incidents that happened both before and after the event, showed the vulnerability of software supply chains and how organizations of all sizes need to think about the security of their third-party suppliers.

“Over the last year, the software supply chain has come into sharp focus as more of these credential and code-based attacks have taken place. Application security as well as Identity and Access Management as cybersecurity segments that are seeing a lot of demand,” Kamal said. “The way software is developed has changed—with the constant need to accelerate the pace of software deployment, security for applications has become more complex as the use of open source software and code from third-party repositories becomes more prevalent. With this trend growing, developers are now taking a more defined role in the deployment of application security.”

A few days following the Colonial Pipeline attack, President Joe Biden signed his executive order that mandated cybersecurity improvements across the federal government to counter ransomware and other cyber threats. Several experts noted that the number of high-profile attacks and greater awareness of these types of incidents means companies are eager to hire security talent.

“I anticipate that historians will look at Colonial Pipeline and WannaCry as two incidents that shaped the trajectory of cybersecurity,” Jasmine Henry, field security director at JupiterOne, told Dice. “Both resulted in greater awareness, since WannaCry revealed the destructive potential of cyber threats to business leaders, while Colonial Pipeline raised public awareness.”

In turn, this new awareness of cyber and concerns about the damage an attack could cause to an organization, whether it’s the infrastructure or data, has meant more opportunities for those with the right skills.

“There is an opportunity for both job seekers and hiring managers to have productive discussions about past cybersecurity incidents during the hiring process,” Henry added. “Security events are probable in today’s world, and past incidents are also less important than resulting changes and growth. I think we need to collectively shift conversations with individuals or companies that have experienced an incident toward lessons learned.”