One year on from the Colonial hack, cybersecurity is never far from mind
When the east coast of the U.S. stopped receiving its oil in May 2021, events moved very quickly. Consumers began storing fuel, causing a rush to the pumps. The federal government quickly got involved, and in the midst of that, the engineers had to figure out what was wrong.
While all well-informed oil and gas companies are aware of the threat of a cyberattack, few would have expected such a bold, and even obvious, intrusion as the closure of one of the country’s main arteries by to fuel. A year after the hacking of the Colonial Pipeline company and its oil transportation mechanism of the same name, expectations have changed.
Colonial Pipeline hacking and unintended consequences
The Colonial pipeline transports oil from Texas refineries to cities on the east coast of the United States, and ends in Washington DC. Approximately 380 million gallons of oil would spend an average day there, but on May 7, 2021 this stopped.
The DarkSide hacking group demanded payment to return the pipeline online, known as a ransomware attack. His intrusion included billing and accounting software used by Colonial Pipeline, which caused the company to shut down the systems to prevent a spread.
Although some quickly attributed the attack to foreign aggression, citing well-known online disruption techniques used by Russia, the same group denied it. Although the group operates in Eastern Europe and Russia, a brief statement from DarkSide said the group is considered “apolitical.”
“We don’t participate in geopolitics,” one post said. “Our goal is to make money and not create [sic] problems for society. Starting today, we introduce moderation [sic] and check every company our partners want to encrypt to avoid social consequences in the future. “
Federal agencies were quickly involved. The FBI, the Cybersecurity and Infrastructure Security Agency, the Department of Energy, and the Department of Homeland Security received a notification of the hacking.
The Department of Transportation issued an emergency statement to create a virtual pipeline, using other transportation routes to transport a fraction of what the pipeline would deliver. This allowed more drivers to make more deliveries with less mandatory rest time, increasing the risk by a difficult amount to measure. However, no incident has been attributed directly or extensively to these rule changes.
Within a week, U.S. President Joe Biden signed an executive order to bolster national cybersecurity. This would create a “standard graph” of responses to large-scale intrusions, such as Colonial, and would cause government agencies to increase security around their cloud services. He also created a Cyber Security Review Board, which would conduct consultations effectively after cyberattacks and make recommendations to prevent future incidents.
On the same day, Colonial paid DarkSide approximately $ 5 million in cryptocurrency for the key to decrypt its systems. Operations resumed on May 12 and Biden told the public that, with a few hiccups, he expected “a return to normalcy from region to region that would continue.” [the coming] week ”. And that was the end.
Preparing the groundwork for cybersecurity in the 2020s
The Colonial Pipeline intrusion ended relatively quickly, in an apparent victory for hackers. However, it has had direct consequences for current cybersecurity approaches, thus harming hackers.
The colonial incident put DarkSide in the spotlight of U.S. security services. The group closed completely on May 17, raising approximately $ 90 million in bitcoin payments over its lifetime. Cybersecurity companies Intel 471 and FireEye said the group blamed pressure from U.S. government agencies for its dissolution.
Then, in June, the U.S. Department of Justice announced that it had confiscated $ 2.3 million in bitcoins from DarkSide. The promising decentralization of cryptocurrency is based on publicly accessible data on where payments go, known as blockchain. While this allows for a degree of anonymity, agencies with enough power and leverage can overcome it.
Deputy Attorney General Lisa Monaco said: “Tracking money is still one of the most basic but powerful tools we have. Rescue payments are the fuel that drives the digital extortion engine. , and today’s announcement demonstrates that the U.S. will use all available tools to make these attacks more costly and less profitable for criminal companies.
“Today’s announcements also demonstrate the value of advance notification to law enforcement; we thank Colonial Pipeline for promptly notifying the FBI when they found out they were the targets of DarkSide. “
New legislation to prevent another colonial incident
In March 2022, the United States Congress passed the U.S. Cybersecurity Enforcement Act (SACA). This response to Colonial hacking forces critical infrastructure operators to report cyber intrusions to the Cyber Security and Infrastructure Security Agency within 72 hours, or 24 hours if a rescue is requested. The EU and the UK have also worked on similar acts since piracy, with the aim of increasing the West’s global resilience to cyber threats.
However, the SACA is often replaced by regulations imposed by the U.S. Transportation Security Administration (TSA). The stricter regulations introduced directly after hacking have just expired, and the TSA seeks to relax the rules for future incidents.
The stricter restrictions around reporting have been one of the most notable effects of these rules. This was stated by Jori VanAntwerp, co-founder and CEO of the network monitoring company SynSaber CSOs online: “One of the issues that often comes up in our conversations with critical infrastructure operators and asset owners is that they distrust additional reporting requirements. In the past, little or nothing has been done with the information that they have provided to government entities. “
The above and enforced rules required companies to report ransomware cyber intrusions to the government within 12 hours. The May 29 rule change extended that period to 24 hours, in line with the period required by the stock market regulator, the Securities and Exchange Commission (SEC).
Proponents of the oil industry have called for the SEC window to be increased to 72 hours, allowing three days to pass before shareholders need to know about cyber intrusions. Pressure groups say a 24-hour window does not allow for accurate intrusion reporting.
“In the past, government agencies have done little with the information they receive”
The TSA issued a second batch of rules in response to colonial piracy in July 2021. These required companies to use multifactor authentication to access pipe systems and the password reset requirement had to be strengthened. Since many piping systems require face-to-face access to the site, the cost of implementing it in many smaller and widely dispersed systems made companies skeptical of the stronger regulations.
The regulations will change again on July 26. A TSA spokesman said the new regulations would ban less specific security measures for companies. Instead, the agency would move to a “performance-based model” that would require cybersecurity to move forward as threats progress.
“The TSA is consulting with industry stakeholders and federal partners as it modifies this safety directive,” the spokesman said.
Since Colonial piracy, companies have argued that emergency regulations have slowed down their operations and could impede the delivery of oil and gas. Since the introduction of its second set of rules, the agency has received more than 380 requests from companies to differ from the rules it set.
Suzanne Lemieux, director of operations safety for the American Petroleum Institute’s trade organization, said Wall Street Journal: “We are encouraged by the changes they have made. There were a lot of things that weren’t well thought out about the urgency of breaking the rules. “
Regardless of regulation, companies have also increased their spending on operational safety. Darren van Booven, chief of advisory practices for cybersecurity company Trustwave, told us he has seen the number of technology security services operational double since Colonial hacking.
He continued: “This has been driven primarily by advice and directors, in direct response to Colonial Pipeline. Organizational leaders call for audits and evaluations of security systems, ransomware protection strategies, and threat detection and response capabilities. advanced ones, such as cyberbands “.