by David Jones
- Colonial Pipeline, the largest refined products pipeline in the U.S. and a major supplier of gasoline and jet fuel to the East Coast and a number of southern states, shut down after a ransomware attack Friday, the company said in a statement Saturday.
- Colonial Pipeline retained FireEye/Mandiant to manage the investigation, according to a spokesperson from the cybersecurity company. DarkSide ransomware is responsible for the compromise, the FBI confirmed in a statement to Cybersecurity Dive Monday.
- By Sunday, the company restored some smaller, lateral lines between terminals and delivery points, but the main lines remained shut off. Colonial Pipeline is in the process of restoring service to other laterals, but will only restore service when authorities deem it safe.
The attack highlights the growing concerns among federal cybersecurity officials, members of Congress and industry researchers that the nation’s critical infrastructure is at risk of a crippling cybersecurity breach or malicious attack.
“Warning lights have been flashing for some time now, but this is the most brazen attack on critical infrastructure yet,” Katell Thielemann, research VP at Gartner, said via email. “It shows a complete lack of norms of engagement and fear of reprisal in the cyber domain, when criminal actors feel empowered to target critical assets that underpin the lives of millions.”
Government agencies ranging from the Department of Energy to the Transportation Security Administration have been working with the Cybersecurity and Infrastructure Security Agency to manage the response to this attack, which may have significant impacts on gasoline supply.
The Department of Transportation issued a temporary exemption on fuel transport that would allow greater flexibility to transport gasoline, jet fuel and related products to most of the eastern U.S. states.
“We are engaged with the company and our interagency partners regarding the situation,” Eric Goldstein, executive assistant director of the Cybersecurity Division at the Cybersecurity and Infrastructure Security Agency said in a statement. “This underscores the threat that ransomware poses to organizations regardless of size or sector.”
The American Petroleum Institute is closely monitoring the situation and said that cybersecurity is a top priority for the industry, according to Suzanne Lemieux, manager of operations security and emergency response policy at API.
DarkSide, the suspected actors behind the ransomware attack, are a relatively new organization that has engaged in double extortion methods. They encrypt data of the target, while also exfiltrating data threatening to make it public, according to Cybereason. While the method of attack has not been disclosed in this incident, Darkside has previously targeted domain controllers.
The energy sector has been particularly wary of cyber risk since a 2018 report highlighted the rising threats of malicious cyber activity against operational technology. The use of automation and connections between operational and information technology systems inside major companies added to the concerns.
“Most industrial environments, including oil pipelines, are no longer air gapped, which means they’re exposed to the outside world,” Marty Edwards, vice president of OT security at Tenable and the former director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said via email. “This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa.”
Read full article here.