By a Biometrica staffer
Just last month, cybersecurity firm Kaspersky said in a blog that over the last five years, ransomware has evolved from being “a threat to individual computers to posing a serious danger to corporate networks.” Or, to put it in other words, ransomware-wielding cybercriminals would rather go after the big guys with deeper pockets, and hold them to ransom, than attack several small guys. Cybercriminals now appear to be of the opinion that rather than going for volume, they’d have a shot at a bigger payback if they go after targets that offer value: i.e. commercial organizations and government agencies. These attacks may need more planning, but for cybercriminals it also holds the promise of potential rewards in the millions.
On Friday, May 10, a group of cybercriminals did just that; by going after the company that operates the largest gasoline pipeline in the U.S. Colonial Pipeline supplies roughly 45% of fuel consumed on the East Coast. The company, which transports gasoline, diesel, jet fuel and home heating oil from refineries located on the Gulf Coast through pipelines running from Texas to New Jersey, had to shut its entire network after the attack. To call its pipeline an important one is an understatement. In a Reuters news report on the incident, Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab is quoted as saying: “It’s not a major pipeline. It’s the pipeline.”
- On Sunday, May 9, the federal transport department issued an emergency declaration to relax regulations for drivers carrying gasoline, diesel, jet fuel and other refined petroleum products in 17 states and the District of Columbia. It lets them work extra or more flexible hours to make up for any fuel shortage related to the pipeline outage, the Guardian reported on Monday, May 10
- The Biden administration has invoked emergency powers as part of an “all-hands-on-deck” effort to avoid fuel shortages
- Meanwhile, the cyberattack is also said to have resulted in commodity traders scrambling to secure tankers to deliver fuels by sea rather than pipeline, the Guardian report added
Those are just part of the immediate fallout of the attack on a company that falls under the critical infrastructure space. It remains to be seen whether gasoline supply and prices will be impacted. An outage of one day or two would be minimal, but if it stretches to five or six days, it could cause shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, D.C., region, the Associated Press said in its report citing oil analyst Andy Lipow.
Cyber threats against Industrial Control Systems (ICS) declined in the second half of 2019 (H2 20219) and the first half of 2020 (H1 2020), a Kaspersky report published March 25 2021 said. ICS is a wide term that can cover everything from systems to devices and networks used to either operate, or automate, industrial processes. Threats against ICS have been on the rise once again from the second half of 2020 (H2 2020), the Kaspersky report adds. And the industries that experienced the most significant percent of ICS computers attacked were Oil & Gas, building automation, and engineering.
But, before we go further into specifics of the energy industry and cyber attacks on critical infrastructure firms in general, let’s take a quick look at ransomware.
Ransomware: What Is It?
Here’s a take based on what cybersecurity firm Trend Micro has to say about it. Ransomware is a type of malware that can prevent or limit users from accessing their system, either by locking the system’s screen, or by locking the users’ files until a ransom is paid. More modern ransomware families, collectively categorized as cryptoransomware, encrypt certain file types on infected systems and force users to pay the ransom through certain online payment methods to get a decryption key, says Trend Micro. How do users encounter it? There are many ways. It can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload that is either dropped or downloaded by other malware. Some ransomware are delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems, Trend Micro adds.
What exactly happens if you’ve been hit by a ransomware attack? If it is a regular ransomware attack, then a full-screen image or notification could be displayed on an infected system’s screen, which prevents a victim from using their system. Typically, the notification would also give instructions on how a user can pay the ransom. If it is a cryptoransomware attack, it can encrypt predetermined files, i.e. prevent access to potentially critical or valuable files like documents and spreadsheets. As with ransoms in the physical world, in the virtual world too it is considered “scareware,” as it forces victims to pay a ransom by using intimidation and threats. For more on the evolution of ransomware, we’d recommend this piece.
What Makes Critical Infrastructure Companies Targets?
The Colonial Pipeline cyberattack is one of many ransomware attacks carried out by cybercriminals against critical infrastructure companies around the world in recent times. Here are a few examples, with links to more reading material:
- In April 2020, DESMI, a Danish company that makes pumps and pumping solutions for marine and industrial applications, including equipment for oil spills, was hit by a ransomware attack. The attackers requested a ransom for data recovery. “A ransom we under no circumstances will pay. We do not support criminals,” Group CEO Henrik Sørensen in a statement on the company’s website. The company’s communication systems, including email, was affected and had to be temporarily disconnected. It was able to recover these systems by April 14. Read more here.
- During the same period, European energy giant Energias de Portugal (EDP) group, which Info Security magazine said employs over 11,000 staff globally, and made over €3.3 billion in gross operating income in 2018, was also attacked by ransomware. The attackers demanded €10 million, or around $11 million (according to conversion rates from that day), in exchange for not releasing stolen corporate documents. Read more here.
- In May 2020, Stadler, a Swiss company that makes railway rolling stock, also fell prey to a malware attack that turned into demand for a ransom. After the company refused to give in to demands for a $6 million ransom, stolen internal documents were published online. Read more here.
- Also in May 2020, Australia based global logistics firm, Toll Group, became the victim of a ransomware attack that led to the suspension of its IT systems. Read more here.
In H1 2019, malicious objects were blocked on 35.8% of ICS computers in the Oil & Gas industry. That percentage has been steadily growing, though, to 36.3% in H2 2019, 37.8% in H1 2020 and to 44% in H2 2020, according to Kaspersky. But what makes critical infrastructure companies vulnerable targets for cybercriminals, particularly those in the Oil & Gas space?
Four years ago, the President’s National Infrastructure Advisory Council (NIAC) was tasked by the National Security Council (NSC) with examining how federal authorities and capabilities can best be applied to address urgent cyber threats to critical infrastructure. “Attackers can inflict damage on physical infrastructure by infiltrating the digital systems that control physical processes, damaging specialized equipment and disrupting vital services without a physical attack. As a nation-state cyber attack on U.S. infrastructure places private companies on the front line, this presents a national security challenge unlike any other,” it said in a report published in August 2017.
When it comes to Oil & Gas, the industry has a widespread and complicated production chain — mining, transportation, refining, distribution — that can be difficult to comprehensively defend, a white paper by Trend Micro published in December 2019 shows. “Risks come from all sides: extreme weather can affect transportation, politics (global and local) can impact production, and physical attacks on infrastructure can actually threaten worker safety and even impact the world’s oil supply. With all these concrete risks, seemingly intangible cyberattacks may seem less urgent.” It’s true that you can’t protect your cyber world if you leave your real world unsecured, but it an interconnected globe, it works the other way around too.
Executives are becoming increasingly concerned about the need for cybersecurity to harden their defenses against hackers as Oil & Gas companies and electric power systems (also critical infrastructure) increasingly turn to digital, cloud-based operational solutions, Jim Magill said in an article for Forbes in March. “In February, the operator of a water-treatment plant in west-central Florida uncovered a potentially dangerous intrusion that had occurred on the plant’s computer system. The hacker or hackers set the levels of sodium hydroxide, a potentially dangerous chemical, to increase by more than 100 times the normal levels. The operator returned the chemical levels to their correct proportions and avoided a potential health disaster,” Magill added in his article.
The average global cost of a data breach was $3.86 million in 2020, but that number was a near-double for energy companies ($6.4 million), a report by by MIT Technology Review said sourcing data from Ponemon Institute/IBM Security. In several cases, as we saw in the examples above, companies refuse to pay the ransom and parley with criminals. But such attacks could still cause reputational damage to individual companies, and be a strain on their resources, not to mention the likelihood of disrupting critical services.
As of Monday, May 10, for instance, Colonial Pipeline was still working on restoring its operations. “Colonial Pipeline continues to dedicate vast resources to restoring pipeline operations quickly and safely. Segments of our pipeline are being brought back online in a stepwise fashion, in compliance with relevant federal regulations and in close consultation with the Department of Energy, which is leading and coordinating the Federal Government’s response. Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time. In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems. To restore service, we must work to ensure that each of these systems can be brought back online safely,” it said in a statement on its website.