Colonial Pipeline Attack Offers Best Practices for Oil & Gas Industry

Despite the increase in massive cyber breaches since SolarWinds, insufficient security practices prevail. The recent Colonial Pipeline breach confirms that cybersecurity is no longer as easy as anti-virus protection software.

The series of cyber attacks seen in the last six months illustrate the constant, and ever-evolving security risks organizations currently face. Regardless of their size, brand awareness, or data storage/cloud strategy, businesses must operate knowing that a breach is no longer a matter of If but When. In fact, given the rapid advancements in the technology of attackers, the safest companies will be those that operate as if a breach could occur at any moment. 

The rampant risk organizations face is no surprise, especially given the hastened move to remote work last year. In fact, most hackers penetrate businesses through Microsoft 365 email accounts, one of the most popular email servers, and one whose use skyrocketed during the pandemic. 

The Colonial Pipeline Breach

Keeping up with the constant news of attacks is near impossible, but the breach announced recently regarding Colonial Pipeline is being tagged as one of the largest in history. The oil pipeline company, based in Houston but distributing energy across the U.S., was targeted by the group Darkside. The attack effectively disrupted energy distribution to various states, leading to oil shortages in the east coast, and eventually resulted in a paid $4.3 million ransom. 

What is perhaps most deserving of attention in the incident is not what happened, but what could have happened. DarkSide was able to penetrate the information technology (IT) and Operational Technology (OT) of Colonial’s network. This access enabled them control of the oil pipelines, referred to as SCADA (Supervisory Control and Data Acquisition). The SCADA environment manages the flow of the pipelines and determines the pressure pushing fluid through the pipes.  In accidental situations, changes to SCADA have led to explosions and caused injuries and death. Through control of the SCADA, a malicious actor could certainly have impacted U.S. citizens far beyond their pockets. 

Who's Really at Risk? 

COMMON MISCONCEPTION

“We don’t manage 45% of the United States' oil distribution, why should we care?”  

Smaller organizations often cite the massive scale of companies like Colonial Pipeline as a reason they themselves don’t need to worry. In light of the breach, SMB energy organizations may be thinking “We don’t manage 45% of the nation’s oil distribution, why should we care?” 

The answer is, because larger companies are not the only ones with valuable data and customers to protect. Additionally, since SMBs often lack proper cybersecurity measures, bad actors may find them an easy target. In fact, according to a report by Verizon, almost 30% of breaches in 2020 involved small businesses. Lastly, ransomware, the malware facilitated by RaaS and used to penetrate Colonial pipeline, is the one of the most cited malware threats by SMBs. 

What Businesses can Learn

The lessons to be learned from the breach may vary from business to business, but a key takeaway is the need to focus on Ransomware-as-a-Service (RaaS). DarkSide is a private Russian-based, which sells its ransomware tools and services, in a subscription-based model, to other attackers. While DarkSide itself claims to have certain operating morals, such as never attacking hospitals or educational organizations, RaaS makes it easier than ever for malicious actors to utilize sophisticated and proven ransomware technology. 

Large or small, every business can work to improve where Colonial failed. In this case, the cyberattack victim failed in at least three of four best practice areas: 

1. Clean Copy of Data 
   It’s been reported that the intruder had stolen at least 100GB of data a week prior to the incident, indicating Colonial’s data was being stored in an insecure environment. Businesses can minimize their vulnerability to cyber threats and incidents with comprehensive data protection and verified backups. 
   
   
2. Proactive Threat Hunting 
   While Colonial may have been utilizing an MDR (Managed Detection and response) program, the technology may not have been advanced enough to catch the threat. Businesses can strengthen their security posture by investing in modern SOCaaS threat detection services that actively and quickly contain the threat rather than simply alert.
   
   
3. Visibility into Security Gaps 
   While threat hunting is important, the most secure businesses will also utilize recurring security scanning to better understand their security environment and how a threat could penetrate their system in the first place. Additionally, using network segmentation and vulnerability testing can limit the horizontal infiltration of ransomware. This is particularly important in situations where there are zero-day exploits, for which threat detection signatures may not yet be available.
   
   
4. Incident Response Planning 
   While Colonial Pipeline has stated that they are actively developing a Systems Restart Plan, businesses can stay ahead of the curve by already having a comprehensive disaster recovery and business continuity plan in place to respond quickly and efficiently to cyberattacks and other incidents. 

Ready to secure your organization from threats like DarkSide? Speak with your IT advisor about implementing strategies and technology which align with the best practices outlined above. If you don’t have one, or need an extension of expertise, call us to help design and execute IT security solutions which will ensure you are prepared to prevent and respond to a breach.