Colonial Pipeline returns to normal operation after being shut down by a cyberattack

New York Times

Pipeline attacks bring urgent lessons about cybersecurity in the United States

For years, government officials and industry executives have performed elaborate simulations of targeted cyberattacks on the US power grid and gas pipelines, imagining how the country will respond. But in reality, when the moment came when this wasn’t a drill, it didn’t look like a war game. The attackers who signed up for the morning newsletter from the New York Times were not hostile nations like terrorist groups or Russia, China and Iran, as the simulation envisioned. It was a criminal blackmail ring. The goal was not to disrupt the economy by taking the pipeline offline, but to retain corporate data for ransom. The most visible impact-a long line of nervous drivers at gas stations-was not a government response, but a decision by the victim colonial pipeline. The colonial pipeline controls nearly half of the gasoline, jet fuel and diesel that flows along the east coast. Remove the stopper. We were concerned that malware infected with back office features could make it difficult to bill for fuel delivered along the pipeline or spread to the pipeline’s operating system. What happened next was a vivid example of the difference between a tabletop simulation and a series of results that could follow even a relatively unsophisticated attack. The aftereffects of the episode are still going on, but some lessons are already clear: which government and private sector can prevent and respond to cyberattacks, and create a quick backup system in the event of a critical infrastructure down. Only shows if you need to work on it. In this case, the long-standing belief that pipeline operations are completely isolated from data systems locked by Dark Side, a ransomware gang that appears to be operating outside Russia, turns out to be false. did. And the company’s decision to turn off the pipeline affected a series of dominoes, including panic buying with pumps and quiet fears within the government that the damage could spread quickly. According to a confidential assessment prepared by the Department of Energy and the Department of Homeland Security, if the colonial pipeline is closed before buses and other mass transit facilities have to restrict operations due to a shortage of diesel fuel, the country Found that he could only afford another 3-5 days. According to the report, the operations of chemical plants and refineries will also be closed because there is no way to distribute what they produce. President Joe Biden’s aide announced an effort to find another way to transport gasoline and jet fuel to the east coast, but it wasn’t done immediately. There was a shortage of truck drivers and tankers for trains. “All the vulnerabilities have been exposed,” said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike and chair of the think tank Silverado Policy Accelerator. “I learned a lot about what went wrong. Unfortunately, so did our enemies.” The list of lessons is long. The private sector colonial, which you might have thought of as having an impermeable protective barrier, was easily breached. Even after paying the robbers about $ 5 million in digital currency to recover the data, the company found that the process of decrypting the data and turning the pipeline back on was very slow. In other words, the east coast is normal. “It’s not like flipping a lamp,” Biden said Thursday, saying that the 5,500-mile pipeline has never been closed. For the government, this event proved to be a dangerous week in crisis management. Biden told his aide that inevitable comparisons with Jimmy Carter’s worst moments as president could not cause political damage faster than gas tube television images and rising prices. Biden feared that unless the pipeline resumed operations, panic receded and price cuts sprung up, economic recovery would remain fragile and inflation would rise. Biden has issued a long-term executive order calling for the first time to mandate changes in cybersecurity beyond the sequence of actions to move oil by truck, train and ship. He then suggested that the Obama administration be willing to take steps during the 2016 election hack — direct action to counterattack the attackers. “We will also pursue measures to disrupt their ability to operate,” Biden said, saying the US Cyber ​​Command, a military cyberwarfare unit, would kick the dark side offline. It seems to suggest that it was allowed. Another ransomware group in the fall before the presidential election. A few hours later, the group’s internet site went dark. By the beginning of Friday, DarkSide and several other ransomware groups, including Babuk, who hacked a police station in Washington, DC, announced they would be out of the game. DarkSide hinted at destructive action by unspecified law enforcement agencies, but whether it was the result of U.S. action or the result of pressure from Russia before Biden scheduled a summit with President Vladimirputin. It wasn’t clear if it was. And quietness may simply reflect the ransomware gang’s decision to frustrate retaliation efforts by perhaps temporarily shutting down the operation. Pentagon Cybercommand introduced the question to the National Security Council, which declined to comment. This episode highlighted the emergence of new “mixed threats” that could come from cybercriminals, but is often tolerated and sometimes encouraged by countries that consider attacks to be beneficial. That is why Biden chose Russia. As a criminal, but as a country with more ransomware groups than any other country. “I don’t think the Kremlin was involved in the attack, but there is a strong reason to believe that the criminals who made the attack live in Russia,” Biden said. “We are in direct contact with Moscow about the imperative that responsible countries take action against these ransomware networks.” With the DarkSide system down, the Byden administration said, It is unclear how to further retaliate beyond the charges and sanctions that may not have previously deterred Russian cybercriminals. Counterattacking with a cyber attack also carries the risk of escalation. The administration must also take into account the fact that much of America’s critical infrastructure is owned and operated by the private sector, and the time for attack is ripe. Kiersten E, Managing Director of the Nonprofit Cyber ​​Readiness Institute. Todt said: “We haven’t done the basics to protect our critical infrastructure, but we’re thinking too much about the threat.” According to some officials, the good news is that Americans get awakened calls. It was that. Congress faced the reality that the federal government does not have the authority to require companies that manage more than 80% of the country’s critical infrastructure to adopt a minimum level of cybersecurity. The bad news is how long will it take US adversaries (not just superpowers, but terrorists and cybercriminals) to cause turmoil in most of the country without breaking into the center of the power grid? It was that I learned. Or an operation control system that moves gasoline, water, and propane nationwide. It’s as basic as a well-designed ransomware attack and can easily work, but it can use outsiders for sensitive cyber operations such as Russia, China, and Iran. Provides a plausible denial for many states. The way Dark Side first broke into the colonial business network remains a mystery. Private companies, at least in public, say virtually nothing about how the attack unfolded. It waited four days before having a substantive discussion with the eternal administration during a cyberattack. Cybersecurity experts also said that if the colonial pipeline was confident in separating its business network from pipeline operations, it would not have been necessary to shut down the pipeline. “Data management and real-world operational technology need to be completely separate,” says Todt. “For companies that carry 45% of their gas to the East Coast, it’s frankly unforgivable not to do the basics.” Other pipeline operators in the United States have advanced firewalls between data and operations. Introduce it to allow data to flow from the pipeline in only one direction and prevent the spread of ransomware attacks. Colonial Pipeline does not say whether it has introduced that level. Of that pipeline security. Industry analysts say that installing such a unidirectional gateway along a 5,500-mile pipeline can be complex or exorbitantly expensive for many key infrastructure operators. .. Others say the cost of deploying these safeguards is still cheaper than the potential downtime losses. Stopping ransomware criminals, whose numbers and courage have increased over the past few years, will certainly be more difficult than deterring the country. But this week the urgency became apparent. “When we’re stealing each other’s money, it’s all fun and games,” said Susan M. Gordon, a former Deputy Chief of the National Intelligence Agency and a longtime CIA analyst specializing in cyber issues. Said at a conference held by Cipher Brief. Online intelligence newsletter. “When we are messing with the operational capabilities of society, we can’t tolerate it.” This article was originally published in The New York Times. © 2021 The New York Times Company