Three weeks ago, the shutdown of operations of Colonial Pipeline captured the attention of the security community, government and consumers that suddenly couldn’t fill their gas tanks. Interestingly, interpretation of the incident – and the significance of the incident – varied.
Some saw this as a typical ransomware attack, albeit on a vulnerable target. Others saw this as reflective of weaknesses in the security posture of the nation’s critical infrastructure. And others felt the incident showcased inadequacies in the existing framework for public-private partnership.
So what was the long-term impact of this specific attack? Here we offer a rundown of some notable characteristics and outcomes of Colonial Pipeline, based upon interviews and our past reporting.
No, this was not an infection of the operational technology for Colonial Pipeline… but a shutdown resulted nonetheless.
When a critical infrastructure organization shuts down operations, as Colonial Pipeline did, the instinct for any security professional is to first question whether OT was compromised. We learned early on that it was not in this case. Sergio Caltagirone, vice president of threat intel at industrial security company Dragos called the situation “an OT impact or an OT outage, caused by an IT activity.” That distinction is important for identifying risk. While the Oldsmar, Florida hack, for example, shined a light on risks associated with remote access to industrial control systems, Colonial Pipeline exposed IT system vulnerabilities that could exist in any sector.
"Now, when it comes to people getting gas at a gas station, they could not care less” about the distinction if the pumps are empty, Caltagirone said. “So we have to be a little pragmatic also when it comes to drawing boundaries... as digital transformation takes over OT, OT and IT get closer together." When it comes down to it, "OT is a production element. Production requires business operations.”
And this is what makes cyberattacks against critical infrastructure distinct, whether OT systems are impacted are not: the nature of the services that these organizations provide can often make the ramifications far-reaching. That then begs the question of government's role.
"If states are relying on them as critical infrastructure, well, maybe the states now hold the liability of paying ransom when this happens," Caltagirone said. "It’s an interesting world because in [industrial control systems], those who are holding the risk are not the ones who are managing the risk. The pipeline is managing the risk, but the states are the ones holding the risk. Their citizens are the ones that can't get the gas if the pipeline doesn't work. They need to come together somehow. And that is a regulatory nightmare."
Nightmare or not, regulations have emerged. The Transportation Security Administration, tasked with overseeing the security of oil and natural gas pipelines, put in place new pipeline cybersecurity requirements this week, the first mandatory cybersecurity practices for pipelines.
That fallout leaves some questioning whether the response from Colonial Pipeline was a cure that may have been worse than the disease.
As noted by Caltagirone, Colonial Pipeline became a matter of national interest largely when it impacted people's ability to get gas – and gas stations' ability to operate. That left some questioning the preemptive decision for the pipeline to shut down operations.
"We do a lot of work with pipeline companies on incident response planning and talking through different scenarios – and the decision to shut down an entire pipeline obviously is one that doesn’t get made lightly. So there had to be significant concern. It would have had to be an executive decision to shut down the entire pipeline," said John Cusimano, vice president at aeCyberSolutions, in the days after the Colonial Pipeline shutdown. At the very least, he added, the decision would imply that “their operations are so tightly coupled that they didn’t feel that they could safely operate.”
And while it turned out the ransomware did not leak from the IT systems to the industrial control systems and create a dangerous situation, the pipeline still needed its IT systems functional in order to manage an extremely complex logistical framework. "You literally cannot continue operations of a manufacturing plant or a pipeline if you don't have the continuity of business to manage” the logistics, Caltagirone said. “So this was a failure of business operations, but it shows the fragility of certain industrial operations like manufacturing.”
The scenario is not all that different from the impact of the NotPetya attack against Norsk Hydro. NotPetya did not target the systems that support the company's steel manufacturing capability, Caltagirone noted. Rather, the attack prevented the company from knowing with any certainty when they were going to have supplies, or from scheduling shipments.
For real-time operations, "you're limited literally by physics, the amount of stuff you can keep around," he said.
The specific operational challenge that spurred Colonial Pipeline to shut down operations was reportedly billing: the inability to get paid. While in theory returning to manual processes would seem a less dramatic response, experts say that's oversimplifying the complexity and legal liability considerations that come with a payroll system for a large company – particularly one that deals with an extensive supply chain.
The threat or ransomware hit home with Colonial Pipeline, potentially forcing a more holistic response.
The cybersecurity community is well aware of the growing and evolving threat of ransomware, but Colonial Pipeline extended that awareness to the general public and forced government agencies to acknowledge that the ramifications go beyond financial. Ultimately that could translate to a more concentrated focus and a greater sense of urgency.
Indeed, during a panel moderated by SC Media, two government officials, one with the FBI and one with the Department of Justice, pointed to the Colonial Pipeline when asked to choose the most significant cyber event to occur in the last year. Sean Newell, deputy chief for the Counterintelligence and Export Control Section at the Department of Justice, called it a rare instance of a long-simmering issue breaking through to become the subject of mainstream American discourse virtually overnight.
"When that happened, I was like, 'This is very high profile. Everyday Americans are going to be able to see the effects of ransomware, not just the businessperson who might be impacted,'” said Newell. Even within government, since Colonial Pipeline, "you do see the president take the podium to discuss it from an interagency perspective. It’s taking the conversation out of various independent agencies and departments within government and into that whole of government conversation.”
Colonial Pipeline also heightened discussion about the influence of ransomware attacks on cyber insurance. Even before the incident, some insurers dropped coverage for ransomware payments, while others began to ratchet up cybersecurity standards for coverage in an effort to prevent an attack. And some predict that the interests of insurers could push for payment in an effort to stop the bleeding.
"The insured enterprise may not want to pay ransom, it may not like publicity of paying ransom, it may not like the politics or the morality of paying the ransom, but the insurance company may have a little different priority and that can come as a surprise to the entire enterprise,” said Benjamin Wright, an attorney who teaches data security and investigations law at the SANS Institute, speaking at the RSA Conference.
Even the Government Accountability Office, a federal watchdog agency, is beginning to dig into ramifications, noting in a May 20 report that mounting financial losses from years of payouts to ransomware actors in the wake of a data breach may be taking their toll on insurers’ pocketbooks, leading them to reevaluate their coverage models. As they put it, "insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors.”