Cyber Extortion – Colonial Pipeline Lessons Learned

Cyber Extortion – Colonial Pipeline Lessons Learned – Part 1 

Cyber Extortion or Ransomware is a real threat.  The recent Colonial Pipeline attack has everyone asking what happened? Can it happen to my plant? What should I do to prevent or at least slow down an attack?  How should I respond?  Here is the DL. 

Contemporary information on Colonial Pipeline cyber-attack: 

CISA yet to obtain ‘technical information’ on Colonial Pipeline hack (msn.com) 

The FBI said in a statement Monday it had been confirmed that DarkSide ransomware was responsible for the compromise of the Colonial Pipeline networks. Over the past two years, they’re going after bigger players to get bigger ransoms. Ransoms last year went up to around $300,000 for the small ones and millions of dollars for the big ones. As more information is released about this attack, more follow-up will be distributed by NAES. 

How did computer hackers shut down a pipeline? 

On Friday, Colonial Pipeline said it learned that hackers had infected its computer networks with ransomware, malicious code used to seize control of computers and extract payments from victims. The breach affected Colonial’s business networks, which it uses for tasks such as managing payrolls and reporting data to regulators. 

Colonial deactivated those systems, but it also shut off the much more sensitive technology that runs its pipeline operations — a precaution aimed at preventing the hackers from reaching it if they hadn’t already. These systems monitor the flow of gas for impurities and leaks, control power levels and perform other automated tasks to keep the pipeline running smoothly. 

Initial Response: 

1st:     DO NOT PAY ANY RANSOMS! Data returned is usually unreadable. 

2nd:    Invoke your Cyber Security Incident Response Plan 

3rd:    Contact E-ISAC even if the attack doesn’t disrupt or compromise BES Reliability Operating Services as a courtesy and also a point of support. 

What can be done to prevent these attacks? 

  1. Perform frequent data back-ups of both the IT and OT environments. 
  2. Ensure back-ups are tested at least monthly to make sure they are readable. 
  3. Ensure there is true network segmentation from the Business Network and the Controls Systems Network. 
  4. This will allow containment of attacks. 
  5. Train employees regularly to be able to recognize phishing attempts. 
  6. Consider use of NAES’ KnowB4 phishing tests.  Must use NAES domain email accounts.  Phishing tests will not work from NAES’ licensing on non-NAES domain accounts. 
  7. Consider exercising the Cyber Security Incident Response Plan (CSIRP) ANNUALLY to be better prepared to respond to a Cyber Security Incident. 
  8. Include personnel from IT and OT in your exercises of the CSIRP. 
  9. Consider an active network monitoring service to detect and alert on any anomalies within the IT/OT system.   
  10. NAES is partnering with cyber security firms to provide this service as well as assist with documentation of NERC compliance evidence (Network discovery, BCA list, Network Topology Diagrams, Connectivity Review/plant walk down, Vulnerability Assessment/Monitoring)