Corvus Insights Blog | Smart Cyber Insurance

Colonial Pipeline Shutdown: What Could Have Been Done Differently

Written by Mike Karbassi | 05.13.21

Colonial Pipeline had a shocking result, but what led to the event was hardly out of the blue.

What happened during the Colonial Pipeline shutdown?

The shutdown of one of the nation’s largest pipelines — 5,500 miles, and the carrier of 45 percent of the East Coast’s fuel supplies — has been a leading news story in 2021, particularly for cybersecurity experts, officials at the Energy Department, and even the White House. On May 7th, 2021 the Colonial Pipeline halted the movement of refined gasoline and jet fuel in an attempt to contain the breach after a ransomware attack on its corporate computer networks, causing major fuel shortages across parts of the United States. This is a troubling continuation in a trend of sophisticated threat actors, and in this instance, an illumination of the vulnerabilities and flaws in our infrastructure.

Colonial Pipeline, a privately held company, reports that the attack only had implications on their business network and that the shutdown of the pipeline was done in an abundance of caution. The FBI has confirmed the threat actor behind the attack, the ransomware group DarkSide. They are a ransomware-as-a-service platform that allows cybercriminals to target and infect profitable, large companies and then use a tactic of double extortion to either increase leverage on their ransom demand, or even attempt to get two separate payments. First, the actor will demand ransom for a digital key to unlock encrypted files and servers (the conventional ransomware maneuver), then apply additional pressure by threatening to release to the public or destroy stolen (“exfiltrated”) data, says Brian Krebs, of Krebs on Security. After the involvement of US government officials, the DarkSide ransomware group made a point to publicly clarify their motives on their leaks blog:

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money. and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

What Could Have Been Done Differently?

As we dove deeper into the Colonial Pipeline situation this week, we saw a few glaring cybersecurity red flags in their ransomware response plan. For example, Colonial has no publicly listed CISO or a visible security team presence — except for an (unfilled) job posting. They also have evident patch management issues — we were able to quickly find a directory server on their system, which should not be exposed to the internet in the first place, and which hosted several known vulnerable pieces of software. This is one of hundreds of exposures that were easy to identify. 

We’re not here to cast blame on Colonial — or anyone — for their incident response policy and practices. Only to point out that if these stand out to us, they also stand out to threat actors. We’ve reported recently on the negative consequences of poor cyber hygiene for public utilities, where we looked at the intrusion of a water utility in Oldsmar, Florida. In that instance, the scale was a lot smaller — but the threat was serious, and encapsulates an ongoing concern for public utilities to have proper security measures in place. 

If you consider the potential consequences of a hacker gaining access to a small city’s water supply, you can only imagine the severe impact of the Colonial Pipeline breach if the threat actors had different motivations. Of course, a $5 million ransom payout is not a minor amount and should be a significant motivator for all public utilities, energy companies, and infrastructure providers to prioritize closing up vulnerabilities in their system. 

The first step is determining where to even start, and we’re offering help in the form of a free Corvus scan and IT security report. This allows you to see your IT system the way a hacker does and helps provide recommendations to solve common cyber risk factors. We want to make the world safer, and that means sharing what we know.