Right-of-Breach Mentality Leads to Cyberattacks on Critical Infrastructure

The dust is still settling from the latest in a series of highly publicized cyberattacks affecting critical infrastructure in the U.S. Two Fridays ago, Colonial Pipeline – the single largest provider of natural gas across the Eastern U.S – experienced a ransomware attack and announced that it was shutting down all 5,500 miles of its main pipeline, running from Houston, TX to Linden, NJ.

The news prompted a fearful response from consumers. Because Colonial Pipeline supplies 45% of gas, jet fuel and diesel across the East Coast, prices soared above $3.00 a gallon in some places, and gas stations experienced shortages as customers piled up to buy as much as they could. Since then, the pipeline has resumed operations and the cost of gas has slowly gone back down.

In retrospect, things could have been much worse.

According to Colonial Pipeline, the cyberattack affected its business networks rather than the industrial control systems connected to its delivery infrastructure. And thanks to a reserve supply, wholesalers serving retail customers did not report any shortages before the pipeline resumed operation. Even so, this incident serves as a stark reminder of the cyber war that is unfolding all around us and the risk it poses to national security.

Ransomware Attacks on the Rise

In August of 2020, CISA warned of a rise in cyberattacks against critical infrastructure and advised operators to take immediate action. Since then, their predictions have materialized in at least two major security incidents, including the SolarWinds breach in December and the breach of a Florida water treatment facility in February. According to one source, ransomware attacks rose by 62% in 2020, with ransom demands rising 225%.

Why is this happening? For one thing, bad actors are becoming more sophisticated. According to analysts, the Colonial Pipeline attack was an instance of “ransomware-as-a-service”. DarkSide – the Russia-based hacking group who claimed responsibility for the incident – provides its code to lower-level hackers and helps with execution in exchange for a cut of the profit.

But more importantly, organizations are not applying CISA’s recommendations until it is too late. They aren’t taking inventory of their assets, implementing a robust cybersecurity plan or enforcing access rules that would prevent a majority of attacks from succeeding.

Right of Breach Mentality

While the cause of the Colonial Pipeline attack has not yet been disclosed, recent high-profile security breaches have precipitated from notoriously bad cybersecurity practices. For instance, a SolarWinds update server was protected by a weak password (Solarwinds123); meanwhile, the Florida water facility lacked any user authentication mechanism to prevent unauthorized remote access.

But this does not prove that organizations are incapable of better cybersecurity practices. According to a study from Ponemon Institute, companies that experience a security breach are 26% less likely to experience another breach in the future. This research proves what we already know: organizations react “right of breach,” waiting for the worst to happen before they act to prevent it.

Until then, they cheat regulations in dozens of tiny ways that add up to a weak overall cybersecurity position, from skipping double authentication to creating loopholes in their own remote access rules. Many assume they are either too big and sophisticated to fail, while others assume they are too small to fall under an attacker’s radar. Both are mistaken.

Nobody is Safe

In 2020, 1,600 security breaches were reported to the North Carolina Department of Justice, and most of them were not large enough to make any headlines. During the SolarWinds attack, over 18,000 organizations were infiltrated, including 425 companies on the Fortune 500 list. Victims ranged from federal, state and local governments to critical infrastructure entities and small businesses.

Today, there is a bad actor for every organization, and all are looking for a niche. Some are motivated by geopolitics, and some are in it for the money. Others are simply agents of chaos looking for any opportunity to cause destruction. At the end of the day, every organization will eventually fall victim to a cyberattack: it is not a matter of “if,” but “when.”

These organizations should take the threat of a breach seriously for the good of their customers, shareholders and employees. Federal contractors and critical infrastructure entities have an additional burden: they must do it to protect national security and the American way of life.

Preparing for Ransomware Attacks: CISA’s Advice

Following the Colonial Pipeline breach, CISA has once again issued a warning to critical infrastructure operators in publication AA21-131A, titled: ‘Best Practices for Preventing Business Disruption from Ransomware Attacks’. In the following paragraphs, we summarize the most important recommendations:

Reducing the Risk of a Breach

Organizations can reduce the likelihood of a successful ransomware attack by applying security controls that protect against common attack vectors.

  • Prepare for phishing attacks – phishing and spearphishing are among the most common methods of hacker reconnaissance. Train your employees to recognize and avoid compromised emails through simulated attacks; enable strong SPAM filters to prevent phishing emails from reaching them.
  • Protect against bad connections – block traffic from known bad IP addresses, and protect against malicious entry attempts by restricting remote desktop protocol (RDP) access. Additionally, block traffic from TOR exit nodes and other anonymization services.
  • Prevent unauthorized execution – prevent unauthorized programs from running on organization computers by disabling macro scripts in Microsoft office files (PDFs, documents, etc.); use allowlisting so only trusted apps and dependencies can operate.

Protecting Business Functions

Should a ransomware attack occur, the following protections and redundancies will ensure that critical business functions can continue.

  • Segment IT/OT networks – regulate communication between operational technology (OT) and information technology (IT); minimize network connectivity to industrial control systems (ICS) and Supervisory control and data acquisition (SCADA) devices.
  • Prepare for manual control – ensure you can switch to manual operation if necessary. Find and disable IT dependencies in the event of a cyberattack; conduct exercises to test manual controls on a regular basis.
  • Conduct regular backups – regularly back up system data and store it separately from the rest of your network. Create backup images of critical systems so they can be rebuilt from scratch if necessary.

Worst Case Scenario

If the worst should come to pass, have an emergency plan to protect the rest of your organization and mitigate damage from attackers.

  • Isolate infected system – immediately identify infected devices, power them down and remove them from your network.
  • Disable devices – power-off and segregate unaffected systems that are on the same network as infected devices. Do not allow them to communicate.
  • Secure your backups – your backups are your last line of defense. Make sure they are offline and secure; scan to ensure they have not been compromised by attackers.

In the hours after a data breach is discovered, an organization’s actions are critical. For more preparation and emergency response strategy, see our blog post: How to Survive a Data Breach: 14 Disaster Response Tips.

Harden Your Organization

While it appears that Colonial Pipeline made several mistakes leading up to the recent ransomware attack, the company did one thing right: it reacted quickly by taking critical systems offline and partnering with a third-party firm to investigate the incident and prevent future attacks.

Moving forward, critical infrastructure operators cannot afford to ignore the threat of ransomware. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more.