Lessons Learned from the Colonial Pipeline Attack

In July of 2021, the ISA published a set of takeaways from the Colonial Pipeline ransomware event. They are still valid today and sync well with the Biden administration Executive Orders that grew out of the attack.

Lesson 1: The importance of system monitoring

Although the publicized attack was on May 7, 2021, the hackers reportedly breached the system on April 29, a week earlier. ISA says that Security Information and Event Management (SIEM) tools, coupled with advanced threat intelligence, detection, and monitoring, can help to recognize anomalous activities.

Lesson 2: The importance of IT governance

In his testimony to the United States Senate, Colonial Pipeline President and CEO Joseph Blount said: “We believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.” The ISA also said that access was reportedly granted by a single userid/password combination, meaning that no multifactor authentication (MFA) was in place.

Lesson 3: OT and IT network convergence creates additional risk

Colonial Pipeline shut down its system because it did not know who was attacking, why or how it might affect its OT network, demonstrating the need for complete visibility into OT network operations and integrations.

“As integrations are contemplated, it is essential to build in security … into infrastructure from day one. This planning will create better visibility and understanding of the implications of an attack. A zero-trust architecture is critical – while IT disruptions cause business problems, OT attacks can put lives at risk, either from energy production, storage, or delivery perspective,” the ISA writes. 

Lesson 4: Successful breaches carry a variety of costs

Although the FBI recovered about 85 percent of the $4.4 million (USD) ransom that Colonial paid, the threat actors still reaped hundreds of thousands of dollars in extorted funds and Colonial’s Blount said that it will take months and cost the company “tens of millions of dollars” to repair the damage and restore all its business systems fully. 

Lesson 5: A successful breach breeds other hacking efforts

Phishing attacks on other energy sector organizations spiked shortly after the incident. One campaign targeted Microsoft 365 customers. Other attacks claimed to come from DarkSide, the actor in the Colonial Pipeline attack.

What the Federal Government learned

Most of the ISA takeaways are reflected in the two cyber security Executive Directives that the Biden administration issued following the hack. The first, Security Directive 1 (SD1), published on May 12, 2021, requires owners and operators of critical pipelines to:

• Report confirmed and potential cybersecurity incidents to CISA within 12 hours;
• Designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week;
• Review current practices; and,
• Identify any gaps and related remediation measures to address cyber-related risks and report the results to the TSA and CISA within 30 days. (The TSA is involved because they are responsible for anything that involves transporting hazardous materials.)

The second directive, SD2, issued on July 19, 2021, requires pipeline operators to:

• Implement immediate mitigation measures to protect against cyberattacks
• Develop a cybersecurity contingency and recovery plan, and
• Conduct a cybersecurity architecture design review.

While the industry generally accepted SD1, there was resistance against SD2, partially because it included the potential for fines up to $11,904 per day per violation. Many industry stakeholders feared that they would be required to replace thousands of units of legacy equipment at a time when supply chain shortages are limiting the supply of technology. There was also concern that the administration issued executive orders without the traditional process of obtaining public hearings. It appears that discussions are still underway as of December 2021.

“Although the industry has encountered implementation challenges, many industry participants are working collaboratively with the TSA to explore potential solutions through, for example, requests for clarification, compliance deadline extensions, and proposals for implementing alternative measures that achieve the same security objectives as the SD2 requirements,” wrote jdsupra.com, a website covering legal affairs.

One thing that could help to address supply chain-related issues, of course, is to buy American.

 The OT security challenge

While the Colonial Pipeline incident was more of an IT than an OT threat, both the ISA and the administration recognized the risk that a future attack could access OT. ISA said it is “essential to build in security and audit into infrastructure from day one.” And that “A zero-trust architecture is critical – while IT disruptions cause business problems, OT attacks can put lives at risk…,” they wrote.

Likewise, the US SD1 order states: “The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”  SD2 covers OT in its call for “immediate mitigation measures to protect against cyberattacks.”

For more lessons learned from the Colonial Pipeline incident, see Surviving Ransomware.