Colonial Pipeline, which operates the biggest gasoline conduit to the East Coast, said it has no estimate on when it could restart the 5,500-mile pipeline that it shut Friday after a cyberattack. The 5,500-mile conduit carries 2.5 million barrels a day to the East Coast, or 45% of its supply of diesel, gasoline and jet fuel.
The company took systems offline to contain the threat, temporarily halting all pipeline operations and affecting some IT system. In a statement, the company said the Colonial Pipeline operations team is developing a system restart plan, and while their mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational.
“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company stated. “At this time, our primary focus continues to be the safe and efficient restoration of service to our pipeline system, while minimizing disruption to our customers and all those who rely on Colonial Pipeline.”
The White House declared a state of emergency in 17 eastern states in the U.S. as a response to the shutdown of the Colonial pipeline. The 17 states affected are: Alabama, Arkansas, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia. According to Bloomberg, the White House also created an interagency task force to address the breach, including exploring options for mitigating the impact on the energy supply.
Marty Edwards, the longest-serving director of ICS-CERT and VP of OT security at Tenable, explains cyberattacks are a real and present danger to critical infrastructure around the world and, by extension, every single consumer. “If reports are accurate, the Colonial Pipeline incident has all of the markings of a possible ransomware attack that began in the IT environment and, out of precaution, forced the operator to shut down operations.”
“Ransomware has been a favored attack vector of cybercriminals because of its effectiveness and return-on-investment,” Edwards adds. “That’s precisely why bad actors have recently set their sights on critical infrastructure. Shutting down operational technology (OT) environments can cost hundreds of millions of dollars which forces providers to outweigh the costs. We should not underestimate these groups. Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal corporations operating in the digital world. While it’s unknown how this attack played out, it’s yet another reminder of the increasing threats to critical infrastructure we all rely on.”
Current reports suggests the DarkSide group is behind the attack. The group is relatively new and evidence suggests DarkSide may be linked to Russia or somewhere in Eastern Europe, Bloomberg reports.
Mike Hamilton, former CISO of Seattle and CISO of government cybersecurity firm, CI Security, says, “Current reporting suggests that this is a group that is new, but composed of experienced members. The ransomware itself is not that novel – there is a good technical explanation here: http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/.”
Hamilton adds, “What seems to set this group apart is the research they conduct before compromising a victim – so they know the reporting structure, who in the organization makes decisions and who handles finances. If that is true, it is unlikely that this event is an artifact of the “spray and pray” type of attack and was highly targeted. That diminishes the theory that this gang is just the “dog that caught the car”, as this was an entirely intentional act. Assuming that, it is also unlikely that this occurred without the knowledge, and perhaps support of government entities within the country of origin. Rather than a miscalculation resulting in unwanted scrutiny by the federal government, the perception created is that we’re being tested. Will the US Government treat this as just another criminal act, clean up and move on? Or will this generate the urgency necessary to finally connect the acts of hostile governments and their criminal communities.”
An opportunity is coming to do just that, Hamilton says. “Coming soon and likely this week, the Biden administration is expected to issue an executive order intended to improve the security of federal and private systems in response to the Solarwinds and Exchange attacks by Russia and China, respectively. This new attack against US energy infrastructure may spur an expansion of the EO from a focus on additional preventive measures to include specific language on actions the US Government will take when critical infrastructure is attacked, potentially treating it as terrorism. That in itself is the slippery slope. A retaliation can cause escalation into points unknown. The administration will need to carefully weigh the benefit of a punitive action with the likelihood of escalation, but this cannot go unanswered.”
Source: https://www.securitymagazine.com/articles/95167-colonial-pipeline-remains-offline-after-ransomware-attack