Comments by: Grant Geyer, Chief Product Officer, Claroty
“Unfortunately, the cyber attack against Colonial Pipeline is only a teaser of the future of cyber attacks. As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target. Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched, and staff that frequently are not as cyber savvy as they need to be to keep attackers at bay. This leads to a situation where cyber security risk levels are below acceptable tolerances, and in some cases organizations are blind to the risk.
One additional risk factor of pipelines is that they are highly distributed environments, and the tools that are used to enable asset operators remote connectivity are optimized for easy access and not for security. This provides attackers opportunities to sneak through cyber defenses as we saw in the water utility attack in Oldsmar, Florida earlier this year.
Among critical infrastructure sectors, energy is especially at risk. Our researchers have found that the energy sector is one of the most highly impacted by industrial control system (ICS) vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half (2H) of 2020 compared to 2H 2018.
Improving the nation’s critical infrastructure is going to require a public-private sector partnership given the current gaps and potential risk to the US supply chain and national security.”
Comments by: Sheena Chin, Managing Director of ASEAN at Cohesity
The Colonial Pipeline ransomware attack is the latest example of the serious danger posed to businesses by the increasing number of cyberattacks. While we do not know the ins and outs of this latest cyberattack, what we do know is that no organisation is truly safe from ransomware. However, there are a number of measures organisations can take to ensure their security level and data management hygiene is above average. The first tactic all businesses should adopt is the 3-2-1 rule. This states that organisations must have at least three copies of their data, store the copies on two different types of media, and keep one backup copy offline or offsite. This approach means there will always be an available and usable backup of the company’s data and systems, even when backups are targeted by attacks – which they often are. That last point regarding offsite or offline backups is critical, as it mitigates the effects of ransomware, and when combined with the right multi-layered security and employee cybersecurity training, will help limit the potential for damage and boost your chances of recovery.
Ransomware is not going away. If organisations automatically defer to paying the ransom knowing they can fall back on insurance, this could prompt more and more bad actors to engage in ransomware attacks, as it becomes a guaranteed payout – not the desired outcome. The right way is to be on the front foot and build your lines of defence and recovery before you’re targeted. Limiting the damage caused and working on getting users and services back online is your end goal.
Comments by: Tim Mackey, Principal Security Strategist, at Synopsys Software Integrity Group
The Colonial Pipeline cyberattack serves as a wakeup call to anyone using software to power their business. Cybercriminals don’t really care how important your business is, only how much money they might extract from you. This trend can be seen with increasing attacks on municipalities, healthcare systems, and elements of critical infrastructure. Each of these organisations will bring in law enforcement, yet attackers continue to be aggressive in their activities. While Colonial Pipeline is a US operation, attacks are global in scope. And despite warnings from officials like the US Treasury Department highlighting how ransomware payments are used to fund future criminal activities, victims are often faced with the difficult decision of whether to pay the ransom.
Avoiding becoming a victim of ransomware requires organisations to have a comprehensive cybersecurity plan in place that fully captures the risks of each software component, its role and lifecycle, and its deployment configuration and usage assumptions. Armed with this basic information, and an exhaustive inventory, it becomes possible to determine how each component might play a role in an attempted ransomware attack. An effort like the one impacting Colonial Pipeline is likely the result of multiple weaknesses in process and cyber-defences that were ultimately successfully exploited. With the age of some industrial software systems far exceeding that of commercial software, it’s likely that older software wasn’t designed to limit exposure to modern threats like ransomware attacks. While the age of the software has limited impact on its serviceability, threat models and defensive protections need to keep pace with new threats – something that can only be done if all weaknesses present in each component are known and accounted for. After all, if a criminal can identify your weaknesses faster than you can, luck is rarely on your side.
Comments by: Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software Technologies
Here’s what we know about Darkside Ransomware: it works in a Ransomware-as-a-Service (RaaS) model, where it leverages a partner program to execute its cyber attacks. This means we know very little on the real threat actor behind the attack on Colonial, who can be anyone of the partners of Darkside.
What we do know is that to take down extensive operations like the Colonial pipeline reveals a sophisticated and well-designed cyber attack. This attack also requires a proper timeframe to allow lateral movement and data exhilaration. The Darkside is known to be part of trend of ransomware attacks that involve systems the cyber community rarely sees involved in the compromised network, like ESXi servers. This leads to suspicious that ICS network (critical infrastructure systems) were involved. The ransomware is known to be deployed in numerous targeted Ransomware attacks including other oil and gas companies (Forbes energy services, Gyrodata).