Call
Ask an Expert
Tel: +1-281-673-2800
Find an Office
Email
Email Us
Company News

Cyber Risk Management Advisory: Analysis and Recommendations Following the Colonial Pipeline Shutdown

June 3, 2021

The Colonial Pipeline shutdown has significantly impacted enterprise functions, critical infrastructure and industrial operations, forcing substantial parts of the pipeline to shut down for several days.

This cyber attack has far-reaching implications not only in the oil and gas market but across several industries, including power, energy, maritime, offshore and manufacturing. This strategic attack is an example of how cyber criminals can swiftly disable operations and effectively impact businesses, the public and the Nation’s economy.

Cyber threat actors are shifting from the Information Technology (IT) networks that run business systems to the Operational Technology (OT) networks that control industrial operations.

From The Knowledge Center
Cybersecurity 101: Lessons Learned from the Colonial Pipeline Cyber Attack

Colonial Pipeline Shutdown: Rapid Updates

6/1/21

  • The Transportation Security Administration (TSA) announced a new policy which requires pipeline operators to report cyber attacks to the federal government within 12 hours
  • The White House released a memo to corporate executives and business leaders urging them to take immediate steps to protect against ransomware risks
  • The U.S. Department of Justice announced they will give ransomware attack investigations the same priority as terrorism

5/20/21

  • Joseph Blount, the CEO of Colonial Pipeline, acknowledged publicly that the company paid the ransom to DarkSide.
  • The ransom payment of $4.4 million was authorized because executives were unsure how badly the cyber attack had breached its systems.
  • The pipeline was shut down for a total six days.
  • The stoppage spurred a shortage of gasoline along parts of the East Coast, pushing prices to the highest levels in more than 6 years

5/14/21

  • Colonial Pipeline paid DarkSide nearly $5 million in ransom.
  • Once DarkSide received the payment, the hackers provided a decrypting tool to restore Colonial Pipeline's disabled computer network.
  • Although the Colonial Pipeline system is getting back online, analysts say the current gas shortage could last 'weeks'.

5/12/21

  • President Biden signed an executive order to improve cybersecurity.
  • As stated in President Biden’s Executive Order, “The private sector must adapt to the continuously changing threat environment.”

5/10/21

  • The Federal Bureau of Investigation (FBI) and third-party cybersecurity firms are being consulted to assist in the ongoing investigation, response and recovery.
  • Additional federal organizations including the Department of Energy (DOE) and the Cybersecurity and Infrastructure Security Agency (CISA) are currently involved.
  • CISA has named pipeline infrastructure as one of 55 National Critical Functions (NCF). According to their online post "National Critical Functions" cyber attacks can cause a "debilitating impact on security, national economic security [and] national public safety."
  • The government released Indicators of Compromise (IOC), some of which are related to this attack. These malicious lines of code should be scanned in networks.

5/7/21

  • In response to a ransomware cyber attack, Colonial Pipeline, a major oil provider for the Eastern and Southern U.S., temporarily took select IT systems offline and halted all pipeline operations.
  • The regulation on the transportation of oil via motor carriers is temporarily abated to assist with the delivery of oil.
  • The suspected attacker is an organization called DarkSide
  • Impacts from this event may affect oil prices, manufacturing, transportation and more.

About the Attacker, DarkSide

All information is nonexclusive, as specific details about DarkSide, the attacker, are still under investigation.

  • The FBI has been investigating DarkSide since October 2020.
  • DarkSide has previously targeted a variety of industries, including manufacturing, energy and insurance.
  • In a previous statement, DarkSide said, "Our goal is to make money, and not create problems for society."
  • DarkSide develops ransomware as a service (RaaS) and sells its ability to create ransomware or conduct ransomware attacks to whoever is willing to pay.
  • DarkSide employs "Double Extortion" and will both exfiltrate data and threaten to release it or deploy software that will encrypt data, making it unusable.
  • DarkSide typically uses cryptocurrency to collect ransoms, with a preference toward Monero.

Mitigation for Your Organization

The cyber attack on Colonial Pipeline emphasizes the need for visibility and control. Knowing how to manage your organization’s unique cyber risk requires expertise in industrial cybersecurity and in-depth knowledge of how your operational networks and systems work. CISA and the FBI recommend several mitigation strategies, including:

  • Boundary Protections - Manage what goes in and out of IT and OT networks. 
  • Access Control - Limit/control the movement within IT and OT networks.
  • Segmentation - Manage the people and devices that can access networks. 
  • Monitoring - Detect and confirm potential intrusions. 
  • Policy Management - Customize policies based on network needs.  
  • Asset Management - Inventory and management of critical cyber assets. 
  • Backup Management - Confirm up-to-date copies of network data. 
  • Configuration Management - Detect changes made to industrial control devices, including Programmable Logic Controllers (PLC) and log information through Management of Change (MOC) documentation.

Knowing how to manage your organization's unique cyber risk requires expertise in industrial cybersecurity and in-depth knowledge of how your operational networks and systems work.

It is crucial to have a strong cyber program that defends industrial operations against cyber attacks and monitors assets at all times. ABS Group provides one of the markets' only 24/7/365 Remote Monitoring and Managed Services specifically designed to protect OT Networks. We are OEM agnostic, OT-specialized and price competitive, with one solution that covers the entire digital ecosystem.

In the News: Ongoing Reports and Updates

Colonial Pipeline Missed Requested Security Review Before Hack

Last year, Colonial Pipeline did not undergo a requested federal security review of its facilities and was in the process of scheduling a separate audit of its computer networks when the hacker hit. It is unclear if an assessment by the TSA would have uncovered the digital weak points exploited.

Read the Full News Story from The Wall Street Journal

DHS Issues Pipeline Cybersecurity Directive but Industry Championing FERC Mandatory Standards

Owners and operators of the 100 most “critical” hazardous liquid and natural gas pipelines, and liquefied natural gas (LNG) facilities will need to act within the next 30 days to align with federal cybersecurity guidance under new mandates issued by the TSA.

Read the Full News Story from Power Magazine

The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-promoting Cybersecurity Firms

On January 11, antivirus company Bitdefender announced they found a flaw in the ransomware DarkSide was using to freeze computer networks. The publication of the tool alerted DarkSide and the next day they declared the problem had been resolved.

Read the Full News Story from MIT Technology Review

News: Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom

Joseph Blount, CEO of Colonial Pipeline, publicly acknowledged that the company paid the ransom. He stated, “I know that’s a highly controversial decision… But it was the right thing to do for the country.”

Read the Full News Story from The Wall Street Journal

News: Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

Although previous reports stated that Colonial Pipeline would not pay an extortion fee, the company has paid nearly $5 million to DarkSide in cryptocurrency. U.S. government officials are aware of the payment but have not provided further comment regarding the transaction.

Read the Full News Story from Bloomberg

Media Statement: Colonial Pipeline System Disruption

Colonial Pipeline has officially initiated the restart of its pipeline operations. In this press release, they outline what the process for the product delivery supply chain will look like as they strive to return operations to normal.

Read the Full Media Statement from Colonial Pipeline

2-Minute Listen: Biden Signs Executive Order On Cybersecurity In Wake Of Pipeline Hack

President Biden has signed an executive order to improve cybersecurity. As cyber attacks on private U.S. companies continue, the rippling effect inevitably impacts the government and the country. Biden’s plan calls for specific steps to be taken before, during and after an attack.

Listen to the Full Conversation from NPR

News: Colonial Pipeline Hack Highlights Grid Disruption Risks Even with IT-focused Cyber Attack, Analysts Say

This event highlights just how difficult it can be to protect your grid from disruption. Even when the primary cyber attack is targeting IT, the impact will likely affect your vulnerable OT.

Read the Full News Story from Utility Dive

News: A Closer Look at the DarkSide Ransomware Gang

The cyber criminals known as DarkSide successfully caused Colonial Pipeline to shut down over 5,550 miles of pipe—but what are their motives behind the attack? The ongoing investigation is diving into the group's demands and overall history.

Read the Full News Story from Krebson Security

Cybersecurity Resources

Podcast: The Casualties of Cyber War: Exploring the Colonial Pipeline Shutdown

If a cyber attack can take down an entire pipeline, what's next? As news from the recent attack on Colonial Pipeline continues to develop, private and public companies, the U.S. government and the nation continue to question the dangerous implications behind our critical infrastructure lacking the proper cybersecurity. 

Listen to the Full Risk Matters X.0 Podcast Episode.

Podcast: Cyber in the Supply Chain – When Things Go Wrong

Cyber incidents go from 0 to 100 in the blink of an eye. With nearly half of the East Coast's fuel supply disrupted, the conversation of protecting critical infrastructure is at the forefront of The White House Administration. Join our discussion as we talk about preceding real-life OT cyber incidents that have gone wrong.

Listen to the Full Risk Matters X.0 Podcast Episode.

Cybersecurity 101: Lessons Learned from the Colonial Pipeline Cyber Attack

The recent cyber attack on Colonial Pipeline underscores the importance of having a strong industrial cyber program that provides visibility and control over your critical infrastructure. In this webinar, we'll discuss the essential lessons learned from this historic incident and the strategies you can use to defend your Operational Technology (OT) and Industrial Control Systems (ICS).

View Webinar On-Demand

Webinar: OT Cybersecurity – How to Evolve Faster Than Cyber Criminals

Does your in-house cybersecurity team have the bandwidth, experience and equipment to protect your organization against fast-paced cyber criminals? In this webinar, we’ll discuss what your organization needs to know about cybersecurity, how you can gain visibility and control over your OT and Industrial Control Systems (ICS) and the benefit of working with a managed service provider (MSP).

View Webinar On-Demand

Cyber Support: Industrial Cybersecurity – Take Control of IT and OT Risks

We work with maritime, offshore, industrial and government clients to understand their unique operational technology (OT) risks and help them build cybersecurity solutions to reduce the likelihood of an attack. From the earliest concept and design phases to integrating a program into existing operations, we'll help your organization develop and implement the controls you need to manage cyber risk.

Learn How You Can Increase Visibility and Control for OT Assets.

About ABS Group

ABS Group of Companies, Inc. (www.abs-group.com), through its operating subsidiaries, provides technical advisory and certification services to support the safety and reliability of high-performance assets and operations in the oil, gas and chemical, power generation, marine, offshore and government sectors, among others. Headquartered in Houston, Texas, ABS Group operates with more than 1,000 professionals globally. ABS Group is a subsidiary of ABS (www.eagle.org), a leading marine and offshore classification society.

Back to top