Colonial Pipeline attack: two year anniversary
Published by Sara Simper,
Editorial Assistant
World Pipelines,
In the early hours of 7 May 2021, a Colonial Pipeline worker discovered a ransom note inside the company’s IT systems. Threat actors linked to the DarkSide ransomware organisation had gained access to an outdated VPN account. What followed was one of the most consequential cyberattacks on US energy infrastructure to date, on the largest refined products pipeline in the country.
The security compromise, leveraged to encrypt data on the company’s systems, left Colonial’s massive operational technology (OT) network, including a 5500 mile pipeline responsible for transporting more than 2.5 million bpd, at risk of remote takeover.
According to reports, the hackers gained access to the network and stole approximately 100 gigabytes of data. In order to gain access, the target needs to pay a fee set by the attacker. Usually, there is a threat to publicise the data unless payment is made.
Colonial Pipeline was forced to suspend all operations and temporarily halted all 5500 miles of pipeline operations in an abundance of caution to contain the threat, impacting businesses and millions of people on the east coast of the US; small business owners to commercial truckers faced lines at gas pumps not seen in the country since the 1970s. Gas prices increased, consumers began to panic buy and numerous fuel stations closed as Colonial, the largest US refined oil supplier, held private negotiations to regain access to its digital systems. Shortly after the attack, the FBI confirmed that DarkSide ransomware was behind the compromise.
How did this happen?
Ahead of this incident, cybersecurity regulations of oil and gas pipelines were mostly voluntary, whereby owners and operators chose whether to follow the best practice recommendations voiced by the Transportation Security Administration (TSA). Pipeline security had been a persistent concern for some years, but was not sufficiently addressed by existing government oversight.
A 2019 threat assessment, for example, from the Office of the Director of National Intelligence, identified China as having the ability to disrupt natural gas pipelines for up to several weeks. In July 2021, CISA and the FBI advisory cited a Chinese spear phishing and intrusion campaign from 2011 - 2013, resulting in 13 confirmed compromises against natural gas operators.
The aftermath
In May 2021, immediately following the attack, the TSA issued a directive instructing pipeline operators to report any potential cyberattacks to CISA and have an onsite cybersecurity coordinator present. In July 2021, a second directive called for pipeline operators to alleviate vulnerabilities and increase resilience, as well as advance contingency plans.
One year on from the attack, in May 2022, the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) announced plans to impose up to US$1 million in penalties against Colonial Pipeline related to multiple control room violations.
In May 2022, PHMSA officials told Cybersecurity Dive the violations listed for Colonial Pipeline were “not exclusive to one operator”, and while the agency continues to respond to noncompliance issues, it also “conducts outreach to increase awareness and help the pipeline industry prepare for and safely respond to any future cyberattacks,” the agency said in an email.
In 2023
Earlier this year, the US Cybersecurity and Infrastructure Security Agency (CISA) unveiled the Ransomware Vulnerability Warning Pilot (RVWP) programme to help ensure critical infrastructure organisations can protect their systems from ransomware attacks. The RVWP pilot aims to keep agencies up to date on possible attack targets so their security teams can act accordingly.
In 2023, two years on from the Colonial Pipeline attack, critical infrastructure is still at risk. In April, a Canadian gas pipeline suffered a security incident that could have caused an explosion at the company’s gas site, according to a New York Times story that cited leaked US intelligence documents. The attackers, from pro-Russia hacking group Zarya, were communicating with Russia’s Federal Security Service (FSB), the primary successor to the KGB, about the incident’s potential for physical damage, according to the leaked documents.
In response to this continued threat, Duncan Greatwood, CEO of software company Xage Security, has made the following comment:
What does it take to embrace zero trust strategies? A ransomware attack, shutting down the Colonial Pipeline and driving panic with gas shortages? A 21 year-old leaking classified documents and exposing state secrets? We shouldn’t need warning shots this severe.
Attacks on critical infrastructure have continued to dramatically increase post-Colonial Pipeline. Adversaries are targeting industrial systems. Company reputations and revenue (and more than that, sometimes lives) are at stake. In response, government-issued security mandates are more frequent and more specific.
Against this backdrop, there’s been significant technological innovation to support zero trust adoption in critical infrastructure. Notably, solutions exist to block attacks (rather than just detect them), even in the event of partial compromise. Word is spreading that organisations can prioritise security measures that meet the needs of real-world operations.
With all the challenges of real-world operations, it’s important to highlight the growing number of practical success stories. For example, Kinder Morgan – one of the largest North American energy infrastructure companies – has successfully embraced new technologies to cyber-harden and comply with regulatory mandates. Transformation is happening among major, established, and traditional critical infrastructure players, and the challenges, once seen as ‘massive hurdles’, that impede cyber-hardening are now being overcome.
My hope is that in another two years, looking back on this anniversary, zero trust will be table stakes for critical infrastructure protection, an approach baked into all security postures. It’s unfortunate that an attack like Colonial Pipeline needed to take place to drive change but I hope that it continues to be a catalyst.
Don’t forget to read the latest issue of World Pipelines magazine for pipeline news, project stories, industry insight and technical articles.
World Pipelines’ May 2023 issue
The May 2023 issue of World Pipelines includes a special section on safety and risk management. In this feature, Trevor Dearing, Director of Critical Infrastructure Solutions, Illumio, UK, advises how pipeline operators can stay ahead of mounting cyber threats.
Read the article online at: https://www.worldpipelines.com/special-reports/07052023/colonial-pipeline-attack-2-year-anniversary/
You might also like
ONEOK announces completion of NGL fractionation and pipeline expansion projects
ONEOK has announced the completion of MB-6, a 125 000 bpd natural gas liquids (NGL) fractionator in Mont Belvieu, Texas, and the full looping of the West Texas NGL Pipeline system.