There’s no reason to believe the group that attacked the Colonial Pipeline Company with ransomware gained access to its sensitive industrial control systems, federal agencies said in a joint advisory.
“In response to the cyberattack, the company has reported that they proactively disconnected certain [operational technology] systems to ensure the systems’ safety. At this time, there are no indications that the threat actor moved laterally to OT systems,” the advisory FBI and the Cybersecurity and Infrastructure Security Agency issued Tuesday.
The attack on the pipeline, which the company revealed in a Friday press release, is drawing attention to the physical consequences of cybersecurity. With the company’s pipelines typically supplying almost half of the fuel to the East Coast, multiple states declared states of emergency as people waited in long lines to fill up their tanks. Energy Secretary Jennifer Granholm warned against price gouging and panic buying while administration officials have waived environmental regulations allowing the alternate transport of fuel on the interstate highway system. The Department of Homeland Security is also ready to consider waivers of the Jones Act, which requires maritime vessels transporting goods between U.S. ports to be built by U.S. citizens or permanent residents, White House Press Secretary Jen Psaki said Wednesday.
“We are deeply concerned about the security of our nation’s critical infrastructure and the industrial control systems (ICS) that underpin many national critical functions,” members of the House Homeland Security and Transportation Committees said in a letter to National Security Advisor Jake Sullivan Tuesday. “As we have repeatedly stressed, cybersecurity is no longer just an ‘IT issue’ but instead an economic and national security challenge that can have real-world impacts to our security. It is imperative that the federal response is rapid, clear, and consistent.”
Granholm has said the company should be back to full force by the end of the week. Citing unnamed sources, the Washington Post reported Wednesday that Colonial doesn’t plan on paying a ransom for the hackers to decrypt their files and is working with cybersecurity firm Mandiant to restore backups or rebuild systems as necessary.
The importance of segmentation between information technology, or IT, systems and operational technology, or OT, systems has been central to advisories from federal agencies on securing industrial control systems like those involved in the pipeline and other critical infrastructure where there are devices such as valves and pressure gauges to control physical processes.
The National Security Agency, for example, recently cautioned the defense sector against connecting IT and OT systems, despite the convenience that could provide.
CISA and the FBI said the group that has acknowledged responsibility for the attack—which goes by the name DarkSide—has been “targeting multiple large, high-revenue organizations” with ransomware since August 2020. And pipeline infrastructure was known to be the target of ransomware actors well before that. A February 2020 CISA alert on the issue contains many of the same mitigation measures listed in Tuesday’s advisory—implement multifactor authentication and enable extra strong spam filters to avoid successful phishing attempts, for example—but there were a few new ones.
The agencies said the hackers are using The Onion Router—software used to access the dark web—to establish and maintain command and control functionality in victim’s networks.
“Monitor and/or block inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports),” the advisory reads. “For more guidance, refer to Joint Cybersecurity Advisory AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor.”
Oversight of pipeline cybersecurity has been the subject of a jurisdictional turf war between the House Homeland Security and Transportation and Infrastructure committees and the Energy and Commerce committee. Responsibilities currently fall to the Transportation Security Administration, which the Government Accountability Office said was not dedicating appropriate resources to the job.
“In our company’s extensive experience in assessing oil & gas pipelines for several of the country’s largest pipeline operators, we have found that pipeline cybersecurity is far behind that of other energy sectors (upstream and downstream O&G and electric utilities),” John Cusimano, vice president of industrial cybersecurity at aeCyberSolutions, told Nextgov.
On Tuesday, Rep. John Katko, R-NY, ranking member of the Homeland Security Committee sent a letter to CISA Acting Director Brandon Wales saying TSA’s partnership with the agency on a 2018 initiative is promising but asked for numbers on the program, which relies on voluntary participation from industry.
“It is the Committee’s understanding that the core of this initiative revolves around conducting Validated Architecture and Design Review (VADR) assessments on pipeline assets,” Katko wrote. “Now, in the wake of the Colonial Pipeline ransomware incident, ensuring the success, growth, and effectiveness of the Pipeline Cybersecurity Initiative is more important than ever before. The Committee requests a briefing on the status of the initiative, no later than June 1, 2021.”