Pipeline Security Attack Heightens Awareness of Florida’s Cybersecurity Landscape
If there is a bright side to the May 2021 ransomware pipeline security attack on Colonial Pipeline, then it is the hope that businesses and the federal government will take the cybersecurity issue more seriously than it has up to this date.
The following paragraphs briefly describe ransomware, the Colonial Pipeline attack, and the ensuing national security directives issued by the US government in response.
Colonial Pipeline Attack Was Massive
Ransomware is malicious software designed to throw into turmoil a business’s computer network. In general, the ransomware cyber attack succeeds by blocking the network owner’s access to their network and its files. It also includes threats to damage or destroy the computer’s files if a sizable ransom is not paid to obtain the network’s release.
The cybercriminals that hacked into the Colonial Pipeline’s system took control of their computer’s fuel distribution pipeline system. The massive attack interrupted the distribution of one-half of the US East Coast’s fuel supply for 11 days. The pipeline shutdown caused customers in the affected areas to engage in panic buying at their local pumps. The cyber attack and the resulting panic buying resulted in gasoline shortages in at least a dozen states and Washington, DC. Four states declared states of emergency to cope with the problem.
The Colonial Pipeline ransomware attack was not a simple feat. The ransomware attack is part blackmail, part ransom, and partly an abuse of the doctrine of “squatters rights” as it relates to possession of the computer network and its files. The more recent attacks show that the criminals not only lock down the information on the network, so the owner cannot access its files. They also make a copy of the network’s information, so they then possess it and may extort the return of the files in a type of blackmail. They may use the duplicated files to extort more cash, or they may threaten to post sensitive personal information from the files online for other hackers to see. Furthermore, they often sell their ransomware software on the dark web to other cybercriminals, who buy the malicious software to enable attacks against other companies.
The Colonial Pipeline cybercriminals demanded a sizable ransom to release the computer network. The company admitted that it paid $4.4 million to end the attack. The US government does not encourage the payment of ransom to cyber hackers on the grounds that payment will incentivize further illegal behavior.
Not a Nation-State Attack
Cyber attacks of this nature are generally considered actions by nation-states designed to disrupt the national security of an adversary. Hackers based in Russia are on the list of usual suspects. The US White House says there is no evidence that Russia is behind these recent cyber attacks, even though the hackers call Russia their home base.
Recent attacks show an evolution in complexity. In the first few months of 2021, cybercriminals launched ransomware attacks not on individuals but on large companies: on solar power firms, a water treatment plant in Florida, a school district in Broward County, South Florida, and including a police department in the US Capital. And the ransoms demanded are soaring higher, too.
Did Anyone Take Responsibility for the Colonial Pipeline Attack?
A cyber hacker group called the Darkside claims responsibility for Colonial Pipeline’s ransomware attack. The FBI says Darkside is based in Russia. Darkside typically demands ransoms of $100,000 or less, and they carry out around 10 attacks a month. If you do the math, they are earning around $12 million a year in their trade. With Colonial Pipeline, Darkside went for the big fish, leaving the small fry jobs against small companies and individuals on the wayside. Darkside’s yearly haul easily puts it in the top 1% of US companies and individuals
The US Government Issues New Rules in Response
To address the seriousness these new attacks portend with respect to the vulnerabilities of critical infrastructure, on May 27, 2021, the Department of Homeland Security (DHS) issued a new security directive through the Transportation Security Administration (TSA). The new security directive requires pipeline companies to tell appropriate US officials about cyber attacks. In addition, the TSA’s newly released security directive was effective the next day on May 28, 2021. The directive remains in effect until May 28, 2022, unless amended or revoked.
TSA will require that owners/operators of critical businesses in the pipeline industry designate by June 4, 2021, a cybersecurity coordinator and one alternate as a corporate officer for their business. The cybersecurity officer/coordinator must:
- Remain available to report cyber events and coordinate with officials 24/7/365;
- Be a US citizen;
- Be eligible for security clearance.
This security officer/coordinator is responsible for coordinating with TSA and the Cybersecurity and Infrastructure Security Agency (CISA) whenever the critical pipeline business experiences a cybersecurity episode. The security officer must be available to coordinate with TSA and CISA and law enforcement and emergency agencies who respond to the cybersecurity event.
The TSA security directive also requires the security officer to:
- Within 12 hours of identifying a cyber event to report both the incident and the company’s response to CISA via phone or the online system. This reporting duty includes any attempted intrusions and/or discovery of ransomware or uncovering of a physical attack on the network; and
- Within 30 days of the incident to conduct a vulnerability assessment using TSA guidelines and report the results of the assessment to TSA and CISA.
Who Does the Directive Apply to?
The TSA security directive applies to owners/operators of critical pipeline facilities that TSA notifies of their critical status. The TSA directive only applies critical status to “hazardous liquid and natural gas pipelines and natural gas pipelines or a liquid natural gas facility.”
If you want to learn more about cybersecurity and critical infrastructure, you may enjoy the June 2021 article from financeyahoo.com entitled “Ransomware is a profitable enterprise: Who’s next? How do we stop this?”
To talk more about cybersecurity, or anything else, please contact us. We cordially invite you to call 4IT for support on any cybersecurity services your business may need. We want to help you secure your business.