Why is a Billion Dollar Pipeline Incapable of Defending Itself Against Ransomware?
The person in charge has some serious explaining to do. This sort of risk didn't come from nowhere.
“This is why frontier life is so difficult.
Not because of the Indians or the elements but because of the idiots”
─Samantha, from the movie Bone Tomahawk
As details emerge concerning the recent breach of Colonial Pipeline’s network the press has focused primarily on the fallout of the shutdown. In a manner similar to the coverage of events surrounding the financial collapse of 2008, the media’s collective spotlight is emphasizing the spectacle of the ensuing calamity and its scale rather than the underlying failures that enabled it. This indicates that an agenda is likely at work. Or maybe it’s just a twist of fate that all those bankers skipped off into the sunset with their annual bonuses?
Ransomware is a pervasive threat. Any chief information officer worth his salt will have the foresight to deploy the controls necessary to sufficiently raise the cost of attacks as well as limit the damage that they incur—particularly when it comes to protecting the American infrastructure. Entire frameworks have been designed for managing cybersecurity. They’ve been around for years. There is even guidance aimed squarely at the energy sector describing how to implement them. The security programs produced by these frameworks almost always involve essential activities like threat modeling and risk assessment, as well as performing table top exercises, penetration testing, and disaster recovery dry runs. It’s all about managing risk and forging a solid incident response playbook.
When leaders don’t cut corners frameworks yield results. For example, in 1991 the Federal Reserve of Minnesota successfully executed its disaster recovery plan after a water main burst above its data center. With the alacrity that comes from careful, deliberate, preparation the Federal Reserve’s emergency response team sprang into motion. In a matter of hours a backup data center in another city was brought online and began handling daily transactions thanks to the dedication of 50 employees. Based on statements from officials who understand its procedures, the Fed’s digital platform includes multiple layers of redundancy to the extent that it would probably take a nuclear first strike to knock America’s central banking system out of commission. And if the precautions taken during the Cold War are any indication, even that might not be sufficient.
Which underscores that the very last thing that any organization wants to do is to halt core business operations and bring revenue streams to a standstill. Failures of this magnitude often involve state actors (a polite euphemism for spies) who are funded and work in tight coordination. When reading a story like this a telltale sign of spy handiwork is the noticeable use of the word “sophisticated.” That is, the victims were on the receiving end of “the most sophisticated cyber weapon ever deployed.” Gasp!
The unspoken benefit of this hyperbole is that it offers a degree of cover for decision makers. They can sanctimoniously hold their heads up high and claim “What could we possibly have done? The attackers were nation-state actors who were so skillful and crafty that no one could possibly expect to defend against them.” Pointing at themselves: “Especially me.”
In other words: not my fault.
This time around there are no foreign spies to blame. According to the FBI the perpetrators are a reluctant crew of internet extortion artists who, when they finally realized what they had done, started to backpedal like mad. (Against the recommendation of the FBI, the Colonial Pipeline Co. chose to pay the hackers nearly $5 million in ransom.)
“We are apolitical, we do not participate in geopolitics,” the intruders announced on their blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” Note the convenient presumption that ordinary ransomware doesn’t create problems for society. There are no doubt thousands of angry grandmothers who lost their photo archives that would disagree.
Over the past few decades there has been a corporate mass exodus to the internet. While many large organizations boosted productivity through greater convenience and efficiency the immediate gains overshadowed genuine security concerns. Short-term smart, long-term dumb. Lately the White House has moved to bolster the security of federal systems but the actual impact of these measures on the private sector is unclear. Sound familiar? Which means that the incentives for companies to sacrifice convenience and efficiency on behalf of security won’t exist… until it’s too late.
Which leads us back to the Colonial Pipeline incident. History shows that eventually random hackers come sniffing around for an easy payday. And if the necessary precautions haven’t been taken, they’ll find it. The very fact that a gang of digital crooks somehow succeeded in inadvertently turning off fuel spigots in several states implies that few, if any, of the appropriate countermeasures were properly applied. That, dear reader, is the real story that’s being drowned out. Honestly, what person in their right mind makes infrastructure equipment and sensitive data about it accessible from the internet? Granted air-gap defense won’t necessarily thwart professional spies, but it does go a long way towards fending off the opportunists in the crowd. Especially when your server passwords are something like solarwinds123.
Bill Blunden is an independent investigator focusing on information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.