Why the Colonial Pipeline Attack Matters to Rhode Island and New England Businesses

Every week, it seems, there's a new headline about a ransomware attack, data breach, or other serious cyber incidents.

Why the Colonial Pipeline Attack Matters to Rhode Island and New England Businesses

Every week, it seems, there’s a new headline about a ransomware attack, data breach, or other serious cyber incidents. It’s understandable that the general public, especially those who don’t hold positions in information technology, may have grown somewhat desensitized to the news. However, given the critical role that workers play in their employers’ cybersecurity, these headlines should incite more alarm as these attacks grow in frequency and scope and pose growing threats to workers, especially those working remotely.

The dizzying pace of attacks makes it difficult for the layperson to understand which ones are important, usually until long after the fact. You’ve probably heard about high-profile data breaches at Marriott International, Wattpad, Adobe, Equifax, among other recent corporate cyber incidents. And you may even have heard of cybercriminals successfully targeting U.S. agencies like the Centers for Medicare & Medicaid Services and the United States Postal Service in recent years.

However, the recent ransomware attack on the Colonial Pipeline stands apart. The single largest cyberattack on a piece of critical U.S. infrastructure, the attack, and resulting shutdown had and continues to have far-reaching ramifications for the gas industry, U.S. businesses, and cybersecurity.

Why the Colonial Pipeline Attack Matters

When the cybercriminal collective known as DarkSide gained access to Colonial Pipeline’s IT infrastructure through a spearphishing effort, they both stole sensitive data and encrypted key assets before making a ransom demand. In exchange for 75 Bitcoin (valued at the time at $4.4 million), DarkSide promised a decryption key. Fearing other operational assets might be compromised, the company shut down the pipeline, which cut off the fuel supply to roughly 45 percent of the population of the Southeastern U.S.

As the supply shut down, customers in multiple states and the District of Columbia began panic buying, exacerbating shortages at the pump. The White House and governors issued emergency declarations, fuel prices surged, and airlines saw delays and rescheduling. The shutdown lasted six days, though it took longer for the company to completely restore operations.

Despite the resumption of operations, the Colonial Pipeline attack is a prominent example of how cybercrime has grown more sophisticated and expansive in scope. It also highlights the numerous gaps in cybersecurity that pose risks for businesses, government agencies, and other stakeholders.

Lessons Learned

Given DarkSide’s infiltration of the pipeline’s network through spearphishing, the attack highlighted the need for businesses to hold regular employee cyberawareness training. Employees must learn to detect and address suspicious online activity to protect their employer’s network — an imperative that takes on added importance for remote workers working at home. In fact, employers should take it a step further and strive to foster a security culture from the top-down to every corner of the organization.

Until the Colonial Pipeline attack, DarkSide proclaimed it only targeted large corporations and not hospitals, government agencies, schools, or nonprofits. It did and continues to do so for profit, though it has sought to paint itself as a force for good by giving away some of its ill-gotten gains to charities. However, upon realizing the disruption its pipeline attack had caused, DarkSide released a statement distancing itself from political motives and future attacks on critical infrastructure.

But while whether they adhere to that commitment remains to be seen, DarkSide is far from the only cybercriminal organization out there. Others have no such boundaries. DarkSide’s targeting of Colonial Pipeline should be a wake-up call that no business is safe, no matter size or industry. Nor are governments or non-government organizations.

The company’s CEO, Joseph Blount, acknowledged paying DarkSide’s ransom demand, indicating it was “the right thing to do for the country,” in an interview with The Wall Street Journal. Paying ransoms in these situations is highly discouraged by law enforcement because doing so provides no guarantee that a business’s systems will be decrypted or won’t be further compromised. Indeed, Colonial Pipeline received a decryption key that was so slow they were forced to restore their operations from backed-up data.

The attack then also illustrates the critical role of business continuity planning and backup data and recovery protocols. Many companies still don’t have adequate backup systems or regularly test their systems to make sure they perform as needed. However, being able to restore key systems and data quickly can not only limit financial losses from an attack but can also remove the leverage a hacker may have, allowing companies to avoid paying the ransom.

Lasting Impact

Further, the Colonial Pipeline attack highlighted the murky role regulators and law enforcement agencies play and coordination gaps that can prevent companies in distress from receiving assistance. Though there were legal cybersecurity mandates for other industries — such as electric power and nuclear power plants, there were none in effect for pipeline companies before the attack. In fact, for days after the event, government officials scrambled to get technical details about the attack, which Colonial Pipeline initially refused to provide. The U.S. Transportation Security Administration (TSA), housed within the Department of Homeland Security, has plans to mandate pipeline companies to report all incidents to federal authorities in the future, along with more detailed response protocols.

While it’s often in a business’s best interest to adhere to best practices in cybersecurity, many businesses don’t prioritize it until after a cyber incident occurs. However, as hackers continue to exploit business IT vulnerabilities successfully, regulators and lawmakers looking to protect consumer interests may be compelled to enact further mandates in different entries. Businesses should invest the proper time, resources, and planning to protect themselves and mitigate the risk of mandates that are expensive to implement.

And even given additional mandates, many federal and state agencies are simply ill-equipped to provide support. For example, TSA had only five staffers in its pipeline security division as of 2019. Further, clear lines of cybersecurity authority often don’t exist. In the wake of the attack, questions have arisen about whether TSA or the Energy Department should respond to pipeline attacks. More broadly (and like Colonial Pipeline, which lacked a dedicated cybersecurity manager), the federal government lacks a central cybersecurity authority empowered to lead relevant agencies and marshal their resources to respond. This deficit makes threat detection and incident response more difficult.

The takeaway? Businesses of all sizes and industries must muster all available resources to detect and address cybersecurity threats proactively. Cyberattacks continue to grow in scope and sophistication, and it’s up to businesses to protect themselves.

If you recognize the urgency but are unsure where to get started, contact us at TAG today. For more than 25 years, we’ve provided Rhode Island and New England businesses with the best available IT services. We’ll work with you to develop a comprehensive cybersecurity assessment, develop a roadmap for you to safeguard your business, and identify and deploy the solutions you need. Let’s connect today and schedule a time to discuss your business’s cybersecurity needs.

Schedule Your Cloud Services Consultation

Ready to make a move to the cloud?  TAG is ready to help with any or all cloud services from a private cloud, public cloud, or Microsoft 365 services.