The US government has issued an emergency waiver after a ransomware attack hit Colonial Pipeline. The attack has caused the company to shut down an unspecified number of IT systems. It has also closed its fuel pipelines that supplying the US East Coast. Fuel is no longer flowing from Texas to 18 US states. This has caused fuel prices to start rising just three days into this attack. Many of these states have limited emergency supplies available. It is why the US government has issued this emergency waiver.
The emergency waiver provides: “A temporary hours of service exemption that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products” across several US states. That includes: “Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.”
What happened to Colonial Pipeline?
The DarkSide cybercrime gang gained access to Colonial Pipeline’s systems last week. On Thursday, they began by exfiltrating over 100GB of data. They then launched a ransomware attack that locked machines. How much they have asked Colonial to pay has not yet been made public.
Colonial responded to the attack and shut down its systems on Friday to limit the spread of the attack. That shutdown included all of its main pipelines 1, 2, 3 and 4. Those pipelines supply the Eastern Seaboard of the US from Colonial’s facilities in Houston, Tx. The company claims that this is a purely preventative measure while it investigates the impact of the attack. However, three days on, the main pipelines are still shut down, suggesting this is more serious than at first thought.
The big question is, how did they gain access to the systems? Was it via the main IT systems? That is likely given that they were able to access and exfiltrate data. If the access was through the massive SCADA network that Colonial runs, the access point could be anywhere. That makes solving and fixing the situation much more complicated.
An incident waiting to happen
This is an incident that was waiting to happen, according to John Cusimano, Vice President, aeSolutions. He commented: “In our company’s extensive experience in assessing oil & gas pipelines for several of the country’s largest pipeline operators, we have found that pipeline cybersecurity is far behind that of other energy sectors (upstream and downstream O&G and electric utilities).
“A common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks which are the networks that connect the pipeline control center to every terminal, pumping station, remote isolation valve, and tank farm along the pipeline. These are very large networks covering extensive distances but they are typically “flat”, from a network segmentation standpoint. This means that once someone gains access to the SCADA network they have access to every device on the network.
“While pipeline SCADA networks are typically separated from the company’s business (IT) networks with firewalls, by design, those firewalls pass some data between the networks. For example, network monitoring software, such as Solarwinds, may be permitted through the firewall in order to monitor the SCADA network. These permitted pathways through the firewall are one-way malicious software or hackers can move from the IT network into the SCADA network. This was one of my greatest concerns when I learned of the Solarwinds attack.
“The other big challenge with securing pipeline SCADA networks is that they branch into every facility along hundreds of miles of pipeline. Some of those facilities are in very remote places with little to no physical security meaning that if an attacker breached the security of one of those facilities they could gain access to the network. Finally, SCADA networks rely on extensive use of wireless communications (e.g. microwave, satellite, and cellular). Breaching the wireless signals or stealing a cellular modem from a remote site could give an attacker access to the entire SCADA network.”
Enterprise Times: What does this mean?
This is not the first, nor will it be the last attack against critical infrastructure. Other pipeline companies are likely to have spent the entire weekend scanning their systems for any signs they are next. Similarly, customers and suppliers of Colonial Pipelines will also have been looking at their systems. The fear is that the attackers have moved laterally through the supply chain to infect other companies.
Colonial has said it won’t pay a ransom. DarkSide is likely to challenge that by pressuring its customers and suppliers. DarkSide is likely to start releasing some of the data it has stolen publically and then ask those customers and suppliers to pressure Colonial into paying.
There are other pressures on Colonial. The US is starting to see an increase in travel as vaccination rates continue to rise and businesses restart. It is also getting closer to the US holiday season, which also sees an increase in traffic both on the ground and in the air. Prices of fuel are already reportedly up in some states over the weekend. Can Colonial get things restarted before this becomes a bigger threat?