Energy & Utilities Companies: Custom Reports Improve Cyber Hygiene
Colonial Pipeline had a shocking result, but what led to the event was hardly out of the blue. For utilities, energy companies & other components of infrastructure, our free cybersecurity reports may help.
The Colonial Pipeline Shutdown
The shutdown of one of the nation’s largest pipelines — 5,500 miles, and the carrier of 45 percent of the East Coast’s fuel supplies — has been a leading news story this past week, particularly for cybersecurity experts, officials at the Energy Department, and even the White House. On May 7th, the Colonial Pipeline halted the movement of refined gasoline and jet fuel in an attempt to contain the breach after a ransomware attack on its corporate computer networks. This is a troubling continuation in a trend of sophisticated threat actors, and in this instance, an illumination of the vulnerabilities and flaws in our infrastructure.
Colonial Pipeline, a privately held company, reports that the attack only had implications on their business network and that the shutdown of the pipeline was done in an abundance of caution. The FBI has confirmed the threat actor behind the attack, the ransomware group DarkSide. They are a ransomware-as-a-service platform that allows cybercriminals to target and infect profitable, large companies and then use a tactic of double extortion to either increase leverage on their ransom demand, or even attempt to get two separate payments. First the actor will demand ransom for a digital key to unlock encrypted files and servers (the conventional ransomware maneuver), then apply additional pressure by threatening to release to the public or destroy stolen (“exfiltrated”) data, says Brian Krebs, of Krebs on Security. After the involvement of US government officials, DarkSide made a point to publicly clarify their motives on their leaks blog:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money. and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
What Could Have Been Done Differently?
As we dove deeper into the Colonial Pipeline situation this week, we saw a few glaring cybersecurity red flags. For example, Colonial has no publicly listed CISO or a visible security team presence — except for an (unfilled) job posting. They also have evident patch management issues — we were able to quickly find a directory server on their system, which should not be exposed to the internet in the first place, and which hosted several known vulnerable pieces of software. This is one of hundreds of exposures that were easy to identify.
We’re not here to cast blame on Colonial — or anyone — for their practices. Only to point out that if these stand out to us, they also stand out to threat actors. We’ve reported recently on the negative consequences of poor cyber hygiene for public utilities, where we looked at the intrusion of a water utility in Oldsmar, Florida. In that instance, the scale was a lot smaller — but the threat was serious, and encapsulates an ongoing concern for public utilities to have proper security measures in place.
If you consider the potential consequences of a hacker gaining access to a small city’s water supply, you can only imagine the severe impact of the Colonial Pipeline breach if the threat actors had different motivations. Of course, a $5 million ransom payout is not a minor amount, and should be a significant motivator for all public utilities, energy companies, and infrastructure providers to prioritize closing up vulnerabilities in their system.
The first step is determining where to even start, and we’re offering help in the form of a free Corvus scan and IT security report. This allows you to see your IT system the way a hacker does, and provides recommendations to solve common risk factors. We want to make the world safer, and that means sharing what we know. If you work for any company or organization supplying water, electricity, oil, gas, or other critical resources, click here to begin.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.