What the pipeline attack means for critical infrastructures

The big news in critical infrastructure security is the ransomware-triggered shutdown of the Colonial gasoline pipeline – the largest such pipeline in the USA. The attack has been attributed to the DarkSide ransomware group. The group subsequently posted an apology on their website saying “they didn’t mean” to impact critical infrastructure.

We’re joined today by Lior Frenkel, CEO and Co-Founder of Waterfall Security Solutions. Mr. Frenkel founded the company specifically to address the then-emerging threats to critical infrastructure that were posed by targeted attacks.

So Lior, our topic is the big pipeline shutdown. How big a deal is this in the world of critical industrial infrastructures?

This is the biggest shutdown ever of critical infrastructure in the USA from a cyber attack. It is a very big deal. That said, it is not very surprising. Targeted ransomware groups use very powerful tools and attack techniques.

Only a few years ago, these levels of tools and techniques were being used exclusively by nation states to hack into each other’s government networks. In this case, that the bad guys said “oops” after the fact only shows how powerful these tools are.

It is unusual to get an apology from a criminal group. What happened there?

That they apologize after the fact doesn’t mean a lot to me. These are criminals after all – they lie for a living. And the apology doesn’t change that the damage is done already. As to what happened at Colonial, I have only the public reports to go from, so I won’t comment on the specifics. In general though, there are maybe three ways for a targeted attack to shut down an industrial operation.

1. The attackers could target operations specifically, like they did with TRITON in 2017, which shut down a couple different petrochemical sites in the Middle East.

2. They could hit IT targets, with the attack “leaking” into operations – these are powerful tools after all. Even without evidence that the attack has migrated into ops, the organization might shut everything down in an abundance of caution, like they did in the Norsk Hydro attack in 2019.

3. Another way that targeted attacks impact operations is when the attack takes down some IT systems that operations depends on. In hindsight, those IT systems should probably have been protected as part of the OT security system, not left on a network that allows connections to the Internet. We saw a lot of manufacturing sites in 2020 taken down by this kind of dependency failure.

That’s not encouraging. How well protected are critical infrastructures generally against these targeted ransomware operations?

Waterfall Security pioneered the market with very powerful new defenses against targeted attacks for industrial infrastructures, and we so track how thoroughly protected are different industries and geographies. Now, protection for industrial networks does vary from one business to the next, but there are some trends. For example, the biggest power generation utilities in North America tend to be much better protected than other sites or industries. And rail systems in North America and Europe are working very hard to improve their security. Rail systems were late to realize how bad the cyber threat had become, but today the industry is moving faster than most others to get in front of the problem.

Around the world, some countries and regions are much ahead of others. Most of the Middle East is moving quickly to towards stronger protection for all of their critical infrastructures, many of them using our technology. This is one of the reasons we just opened an office in the United Arab Emirates last month, to help serve the demand in that region.

Singapore, South Korea and France also have regulations that demand very strong protections against sophisticated targeted attacks. Other industries and other parts of the world are not so mature. Targeted ransomware groups, whether they target industrial networks deliberately or only accidentally, are a real threat to a lot of critical infrastructures.

What does this mean looking forward?

Critical infrastructures are critical – this is the point. Today’s targeted ransomware attacks use tools and techniques that only the nation-states were using just a few years ago.

Critical infrastructure organizations need a clear understanding of what they’re up against, and they need defenses in place to keep everything that is critical working. There are not a lot of options when it comes to defeating today’s targeted ransomware reliably. This is why one country after another is telling their infrastructures use unidirectional gateways as the main pillar of their protection plan.