Colonial Pipeline Hack
Colonial Pipeline, the largest for refined gasoline and jet fuel in the U.S., carries up to 3 million barrels a day between Texas and New York. Hackers broke in to Colonial’s computer systems conducting a malware cyber attack that shut the company down for almost a week. 12,000 gas stations were directly affected resulting in a spike in gas prices and leaving many customers without fuel.
How the attack was handled and what caused it in the first place are headache making.
First, company executives decided to pay the demanded ransom of $4.4 million in cryptocurrency bitcoin. They did this with the knowledge of the FBI which has been able to retrieve about half of it to date.
At a Senate Homeland Security Committee hearing about the attack, Colonial Pipeline CEO Joseph Blount defended his decision to pay the ransom as the “right thing to do for the country”. But paying cyber ransom generally goes against the government’s advice. Most would agree that it is best not to pay ransoms and thus avoid encouraging hackers and criminals that such ploys will be successful.
The second piece of information that came out of the hearing was about security practices. Blount confirmed to the committee that investigators think that Russia-based Darkside hackers broke into Colonial’s computer system by logging into an unused VPN (Virtual Private Network.) That VPN did not require that a user provide secondary identify verification, like a code texted to a registered mobile number. Two-party verification is surely de rigueur these days? All of my private online accounts have this feature, and I’m no cyber expert, just an average, cautious consumer.
And yet, Senator Portman asked Mr. Blount whether certain cybersecurity requirements could be helpful for critical infrastructure operators.
“Anything that can help industry have better security practices standards to follow would be extremely helpful,” Mr. Blount replied.
Too often government requirements either trump common sense or serve as an excuse for shirking personal responsibility. Of course guidelines, regulations and requirements can be useful and necessary. But since when do companies have to wait for a government requirement before conducting basic cyber security? It is scary to think that Colonial may be representative of other large infrastructure companies that do not have in place basic security procedures, use a proactive and adversarial mindset, insist on robust testing, and all the rest.
Cyber crime is only going to get worse; we are going to have to get better.
When I conduct site security assessments at public and private-sector facilities, I always ask the IT Director to describe his/her cyber-security plan to me. I get the brushoff and am told, “We have a good plan in place.” They never tell how/what they are doing and where they may feel vulnerable. They tell the CEOs this hope/lie/half-truth as well. Also, I don’t understand how one attack can shut down an entire server system if there are daily offsite backups in place. In theory, an attack should only compromise one day’s worth of business.