The Colonial Pipeline Hack was way too Easy

One thing that was good about the pandemic was that gas was really cheap (if you actually had reason to go anywhere). A few weeks ago, 87 octane was $3.64/gallon at Shell. It had been a while since I’d spent nearly $50 on a tank of gas, but it turns out I was lucky to be able to fill my tank at all. Three of the 6 gas stations in my neighborhood were completely out of gas and they didn’t know when they were getting more. 

I vaguely remember a similar situation many years ago, when OPEC, the Organization of Petroleum Exporting Countries, placed an oil embargo on the United States as a retaliation for certain foreign policies. At that time, the US relied on OPEC for about 50% of its oil supplies. Meg Jacobs, the author of Panic at the Pump: The Energy Crisis and the Transformation of American Politics in the 1970’s said, “One of Nixon’s top advisors dubbed it ‘an energy Pearl Harbor’. There were no bombs, no bloodshed, no loss of life. But the embargo stunned Americans as if they had come under a surprise attack, if not an outright act of war, because of the serious implications for the economy and the country’s security.”

Last month, we saw how terrifyingly easy it was for a foreign attacker to launch yet another bloodless attack on our nation’s oil supply. This time it wasn’t an oil embargo, but instead a ransomware attack on the Colonial Pipeline, the critical conduit for transporting fuel from gulf coast refineries to core east coast markets. The attack occurred when the group DarkSide gained access to a single password to a legacy virtual private network (VPN) system, which used single-factor authentication. Think about that: just one password and one insecure network component was all that was necessary to enable a crippling attack on a vital economic artery.

How is that possible? As a direct result of the attack, Colonial Pipeline could no longer assure positive control over the pipeline and lacked clear visibility into what was happening with its own systems. At that point, the only responsible option for was to shut down pipeline operations, as their teams were unable to determine the extent of the hack and the level of risk it posed to the pipeline. Six days later, Colonial Pipeline, their team of cybersecurity experts and the US federal government still had not yet regained full control of the system. That meant the pipeline remained down, and without that critical artery for fuel supplies, fuel shortages ravaged communities across the southeastern US. We learned, several days later, that Colonial Pipeline paid the attackers ~75 bitcoins (about $4.3M USD at the time of the transaction) to regain access to their systems.

The Colonial Pipeline hack was a result of insufficient IoT security. As this Wired article explains, the vast majority of pipeline operations are automated through operational technology devices, with “edge” components connecting to the main network. Traditional IT departments are hesitant to tamper with these integrated technologies, whether in manufacturing, energy, medicine, or retail. In their view, those technologies are just part of the making and operating of something, so they wouldn’t be the first choice for a cyberattack.

Since most IT departments do not consider operational technology a high-priority or mission-critical target, it is often de-prioritized or ignored for security updates (if it is even cataloged), creating a major vulnerability. In addition to enabling the hackers to steal and ransom data from the main network at Colonial Pipeline, compromising operational technology could allow the attackers to alter the physical state of the pipeline, creating dangerous physical conditions for the many thousands of people who live near it. Put simply: every IoT connected device is a potential backdoor into an otherwise secure network – and most companies don’t even know how many backdoors exist.

How do hackers find these vulnerabilities? They do it in the same way that Matthew Broderick got into the Defense Department systems in the 1983 movie War Games. In the movie, his computer dialed all of the numbers in a particular phone exchange looking for modems. When he found the right modem, he’d use social engineering to figure out the password and he was in. Today’s ransomware attackers use the same strategy — but instead of phone numbers, they are looking for vulnerable IP addresses, backdoors, weak authentication mechanisms, easily hacked encryption keys and debugging services.

The reality for most mid-market to large companies is grim: it is not a question of “if”, but of “when” and “where” they will be the target of cyberattack. Most IT departments have no idea how many vulnerabilities their systems have, how many devices are connected to their network, and how many insecure or legacy systems are still operational. And as connected devices and automation become increasingly ubiquitous and essential to the day-to-day operations of the firm, the number of vulnerabilities compounds, hidden from view but waiting to be discovered. And when – not if – those vulnerabilities are discovered, the outcome can be catastrophic – as the the Colonial Pipeline debacle aptly illustrated.

Fortunately, companies have the ability to change their reality. By proactively identifying, prioritizing and securing their connected devices and legacy systems, companies can dramatically reduce their risk profile and maximize their chances of detecting and mitigating an attack before it compromises operational integrity.

Mavenspire brings unmatched experience and expertise in the IoT space, which uniquely positions us to offer OT security advisory services to our clients. We’ve been working with these technologies since the early 1990’s, when we were a spinoff of System Excelerator, a start-up focused on IoT technologies for military and commercial use cases. We understand this technology. Couple our IoT expertise with our deep experience in network design and cyber security, and the result is the precise blend of expertise IoT-centric organizations need to protect themselves against these growing threats.

Related Insights