STRATEGIC ASSESSMENT. A ransomware attack believed to perpetrated by a criminal organization using Darkside ransomware as a service struck the Colonial Pipeline, which is the largest fuel pipeline operator in the United States. It supplies 45% of all of the fuel used on the East Coast, from Florida to New York, to include gasoline, diesel, and jet fuel to customers ranging from gas stations to the U.S. military. This cyberattack on Colonial Pipeline is both an immediate concern and a harbinger of what to expect in the near future — relentless and sophisticated cyber threats posed to vulnerable infrastructure across the country. Colonial Pipeline shut down operations over the weekend when its systems were attacked, and the company’s main operations remained shuttered early into the week. There are widespread concerns about how critical infrastructure like energy pipelines remain attractive targets for highly capable non-state actors, including criminal hacking groups and terrorists.
Ransomware involves encryption of information and data important to the targeted company. In addition, attackers may steal the data for further profit. The information sought by hackers can also be embarrassing in terms of public relations and reputational damage, but in other cases, it could also be crucial to operations. For example, in the United States, the city of Atlanta, Georgia had its entire emergency (“911”) system crippled by hackers who demanded payment to decrypt the information or files. Other cities, including Baltimore and Greenville, have also been victims of ransomware attacks. The most recent attack against Colonial Pipeline seemed to be an escalation of ransomware tactics. The alleged criminal perpetrator has grown increasingly brazen over the past several months. The organization is believed to operate out of Russia or Eastern Europe, but ties to the governments of specific countries remain murky and difficult to prove. Following the attack, the criminals released a statement claiming to be “apolitical” and only interested in profit, not politics.
The Colonial Pipeline attack is one of the largest ransomware attacks of its kind, but it certainly will not be the last. Indeed, attacks may spur follow-on attacks, especially once other criminal groups realize exactly how vulnerable certain critical infrastructure might be to ransomware. Due to the difficulty of attribution, to say nothing of apprehension and prosecution, criminals view these attacks as low risk and high reward. In this case, it appears Colonial Pipeline paid the perpetrators approximately $5 million in cryptocurrency, which will likely invite further ransomware attacks from other actors aimed at critical infrastructure. Counterterrorism experts at the United Nations Counter-Terrorism Executive Directorate (CTED) have highlighted the threat posed by terrorists to critical infrastructure for several years. They have worked with practitioners and experts to produce a public compendium of good practices and recommendations for the protection of critical infrastructure. A similar compendium focused on the protection of vulnerable – “soft” – targets is forthcoming this year.
Adequate cyber defense requires technical capabilities as well as raising awareness of social engineering attacks — such as clicking on suspicious emails that are becoming more sophisticated and seemingly authentic. Even the wealthiest firms and organizations struggle, mostly due to a lack of training. The SolarWinds hack, the impact of which is still being determined, was enabled by negligent cybersecurity — the password for administrator privileges was “SolarWinds123.” Even the best technical defenses are unable to overcome such glaring ineptitude. The post-SolarWinds review by the U.S. federal government will require an overhaul that calls for new standards for security and, importantly, would impose significant penalties for failing to maintain these standards. Penalties could include banning cyber products by these firms from the enormous federal market.
Attacks such as the Colonial Pipeline attack once again call into question the definition of critical infrastructure. At one point, when society was less interconnected digitally, the risk and impact of cyberattacks were less expansive. In 2021, nearly every aspect of modern life is connected to computer systems, many of which offer various entry points for criminals and hackers. Given the very nature of networks, crippling one part can lead to cascading effects further downstream. Disruption of sales from a point-of-sale register/terminal attack can reverberate throughout a company. Emergency or “911” call centers for an entire city can be disrupted when attackers gain unauthorized access as the result of phishing attacks. Nearly half of the fuel supply for the eastern seaboard of the entire United States was shut down as the result of this cyberattack. The Biden administration recently signed an emergency Executive Order that will require federal agencies to adopt a number of enhanced security measures, to include two factor authentication (2FA), end-to-end encryption, and a “zero trust” approach to dealing with vendors. Several of these points reinforce existing recommendations from the National Institute of Standards and Technology (NIST) for federal agencies’ cybersecurity; nonetheless, these measures are belated, but necessary. After September 11, 2001, the United States recognized the danger posed by transnational terrorism and responded accordingly. While cyberattacks are not kinetic, they can still be crippling, with potential physical security implications, and should be treated as a top tier threat (TSC).