The cyber attack on Colonial Pipeline is the latest in an increasing number of ransomware attacks which have been targeting both private enterprise and the public sector.
In this case, it appears that the ransomware variant involved is DarkSide, which ExtraHop has seen in customer environments. This campaign starts by mapping the environment and exfiltrating data, meaning that the attackers likely now have access to detailed information about the company and its pipeline operations. Then the attackers start encrypting systems, making entire portions of the infrastructure unavailable.
This two-pronged approach has become increasingly common, used in major attacks such as the recent REvil attacks on Acer. Exfiltrating potentially sensitive data gives added leverage to attackers and makes detecting and stopping ransomware even more important.
Attacks like this which target public infrastructure should serve as a warning, making clear the potential impact of attacks from both criminal organizations and sophisticated nation-state actors.
But this isn't a "warning" in the sense that DarkSide wanted to send a message about their ability to affect critical infrastructure. In fact, the DarkSide attackers have essentially admitted that attacking Colonial Pipeline was a mistake. They are quoted in multiple media outlets as saying they don't want to cause "problems for society." DarkSide has had massive success in extracting ransoms from their victims without drawing much public attention. By attacking critical infrastructure, they have garnered a level of public attention that will make it harder for them to continue business as usual.
So, if a ransomware attack can shut down a gas pipeline by accident to some degree, what does this likely mean about the security posture of other critical infrastructure?
Critical Infrastructures Are Vulnerable to Compromise
The dependence on TCP/IP transmissions over the common standard of ethernet has left many of our critical infrastructures vulnerable. In particular, electrical power distribution, natural resources recovery, petroleum/oil/gas, chemical manufacturing, manufacturing, and distribution/logistics all use some type of distributed network to control very discrete technical or industrial processes. Those process open and close electrical breakers, open and close valves, measure temperature, measure flow rate, measure voltage, or run automated machinery.
The endpoints which manage the distributed processes are called, broadly, industrial control systems (ICS). These controllers manage processes and collect process information. They typically function at what is known as—in some industries—as the supervisory layer. This layer controls the industrial processes themselves.
Above that layer, as a best practice, is the command layer. The command layer provides direction and control to the discrete ICS devices at various locations in automated processes and physical facilities. The command layer consists of the networked computer systems, typically with proprietary applications, that are used to manage and direct the industrial control devices.
These systems are not operated on the same TCP/IP network as the corporate infrastructure for the rest of the company. In fact, best practice indicates that ICS/OT systems should be air-gapped—completely separated, with no networked connections—from the rest of the IT environment. In practice, this is not usually the case.
What this means is that the dynamic, messy, often highly vulnerable, and critically under-monitored corporate TCP/IP network almost always has some sort of connection, like a wormhole, into the ICS environment. Ransomware that is designed to spread indiscriminately will find this wormhole in a heartbeat. This is a security hygiene problem with potentially devastating results.
While the exact details of the Colonial Pipeline attack have not yet been released, it is safe to say that this attack should serve as a wakeup call to any operators of ICS systems that securing the corporate network that surrounds and runs parallel to your ICS systems is mandatory.
What To Do About It
Securing ICS is challenging. Many ICS and Operational Technology (OT) devices can't support a monitoring agent or activity logging. These devices use separate, often proprietary protocols to communicate, and, in theory, they are isolated from the rest of the network, ideally with a full air gap.
While point solutions for securing ICS deployments certainly exist, the Colonial Pipeline scenario provides an excellent example of how blind spots and security gaps can lead to devastating outcomes. No single tool or approach, even the (usually hypothetical) airgap, is enough, and a layered security approach is the only way forward.
The SOC Visibility Triad model has become more and more relevant in cybersecurity. Shoring up the security of the corporate IT environment that surrounds critical infrastructure requires three complementary data sources: the network, the endpoint, and activity logs. With these monitoring solutions in place and tightly integrated, security teams have a better chance of detecting early signs of ransomware or other fast-moving malware or attack behaviors, so they can isolate and purge the threat before it impacts critical ICS systems.
In the case of ransomware like DarkSide, ExtraHop Reveal(x) can detect early indications of compromise such as suspicious file reads and SMB data staging. It can also detect the type of exfiltration activity common in DarkSide attacks, and correlate the encryption and exfiltration detections for a more complete understanding of the attack.
To learn more, watch the webinar