On May 7, 2021, a major US energy transportation company known as Colonial Pipeline experienced a ransomware attack. This news has sparked concern over both the federal government and private enterprises’ ability to respond to stay ahead of increasingly advanced cyber threats.
Here’s what you need to know about the ransomware and DMI’s recommendations for cyber risk management and mitigation.
The May 7th ransomware appears to have only infected Colonial Pipeline’s business network (IT). However, the company still shut down its Operational Technology (OT) networks as a precautionary measure to prevent further spread of the malware through its operational systems.
The shutdown interrupted the flow of fuel through its 5,500 miles of pipeline distributing 2.5 million gallons of its daily supply of gasoline to the East Coast of the United States.
According to Bloomberg, the attackers performed reconnaissance and stole data ahead of the ransomware attack. The malicious actors behind the attack exfiltrated approximately 100 gigabytes of company data in just two hours.
The ransomware group, known as “DarkSide,” acknowledged responsibility for the attack, according to the FBI. The exact amount of the ransom demand is not officially known. Previous DarkSide ransom demands have historically been up to the equivalent of two million dollars.
A press statement was released by DarkSide:
"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
Our goal is to make money, and not create problems for society.
From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
DarkSide operates as a Ransomware as a Service (RaaS) with two entities — one is their core developers while the other deploys the ransomware.
Most pipeline companies use a combination of IT and OT technologies, making them very susceptible to attacks like ransomware. Attacks on industrial control systems (ICS) can lead to safety and/or environmental catastrophes (i.e., causing leaks or explosions) along the pipeline.
When dealing with OT mission-critical systems, it’s important to maintain availability wherever technology operates physical processes (e.g., energy production). Defending critical OT infrastructure and their related systems requires a different approach than those used when defending IT systems.
The Colonial Pipeline ransomware imparts several lessons about how ICS firms should prepare for and respond to a cyberattack.
After an attack of this magnitude, enterprises should:
In addition to these cyber response strategies, DMI’s cybersecurity experts also recommend the following mitigation strategies.
At DMI, we understand the growing need for protection against increasingly sophisticated ransomware and cyber threats. We also believe that cybersecurity is a critical component of your business’s overall risk management process.
Our cybersecurity team designs, tests, and implements tailored incident response and disaster recovery plans based on our client’s cyber risk priorities. We apply proven processes, tools, and world-class expertise to contain, analyze, mitigate, and recover from a cybersecurity incident.
In addition to cyber response and recovery, we also offer full lifecycle cybersecurity governance, risk management, and compliance as well as tailored, end-to-end operational solutions. We help our clients quickly identify, assess, and respond to cyber risks to protect overall business productivity.
Want to learn more about our cybersecurity expertise? Let’s talk.