Colonial Pipeline Cyberattack Exposes Vulnerabilities in Critical Infrastructure

Colonial Pipeline Cyberattack Exposes Vulnerabilities in Critical Infrastructure
A sign tells customers that no gas is available at a gas station in Smyrna, Georgia, on May 11, 2021. Elijah Nouvelage/AFP via Getty Images
Omid Ghoreishi
Updated:
News Analysis
The cyberattack that shut down the Colonial Pipeline in the United States made clear the consequences of such attacks in a tangible way, as it led to gas price hikes and even fuel pump closures in the American Northeast, causing disruptions to daily life.

The incident serves as a sign of things to come if cybersecurity isn’t taken more seriously, due to increased connectivity in industrial and critical infrastructure, says Thomas Keenan, a cybersecurity expert and professor at the University of Calgary.

“It could happen in Canada. We have pipelines. We have the same equipment that they have in the United States,” Keenan said in an interview, adding that, similar to the United States, Canada can do little to deter rogue players in non-allied foreign countries.

U.S. President Joe Biden has said that there is evidence the cyberattack was launched by actors in Russia, but that so far there is no indication of Russian government involvement although Moscow has a responsibility to deal with the issue.

The pipeline was the target of a cyberattack on May 7 involving ransomware, a type of malicious software that allows hackers to take control of computerized systems and to demand payment for releasing control. In response, Colonial pre-emptively shut down the pipeline.

The FBI has confirmed that the cybercrime group DarkSide is behind the attack. The hacker group said in a statement that it’s “apolitical” and not tied to any government, and is only after money.

A spokesperson with the Communications Security Establishment (CSE), Canada’s IT security and foreign signals intelligence agency, said that the CSE is monitoring the impact of the Colonial Pipelines cyberattack.

“CSE has a strong and valuable relationship with its Five Eyes alliance partners, including our intelligence and cyber defence counterparts in the United States. We regularly share information with our partners that has a significant impact on protecting our respective countries’ safety and security,” Evan Koronewski said in an email.

Increased Connectivity

Gary Miliefsky, a cybersecurity expert and publisher of Cyber Defense Magazine, says that with advances in connectivity capabilities, there are now more inherent vulnerabilities in industrial systems and critical infrastructure.
Holding tanks are seen in an aerial photograph at Colonial Pipeline's Dorsey Junction Station in Woodbine, Md., on May 10, 2021. (Drone Base/Reuters)
Holding tanks are seen in an aerial photograph at Colonial Pipeline's Dorsey Junction Station in Woodbine, Md., on May 10, 2021. Drone Base/Reuters

“Operational technology, or OT, is now merging with information technology, or IT,” Miliefsky said in an interview. “With very simple commands you can cause two trains to collide.”

The Feb. 5 incident in Florida, where hackers tried to poison a city’s water supply using remote controls, serves as another example of the deadly consequences of cyberattacks. In that case, the attack was averted due to the intervention of an operator who was remotely monitoring the water supply.

According to Keenan, the Colonial Pipeline incident is the highest-profile attack experienced so far involving the internet of things, or IoT, referring to connectivity of devices around the world.

He says a major reason for incidents like this is that cybersecurity and protection measures haven’t kept up with tactics used by criminals.

A key contributing factor, he says, is increased use of “off-the-shelf technology” by companies. Using widely available equipment rather than custom-made equipment saves companies considerable cost, but the problem is that wide use means more vulnerabilities can be identified and exploited.

“When pipeline companies had very specialized controllers that were made just for them and nobody else could get them, it was a lot harder to find out what the vulnerabilities were,” Keenan said.

“And it’s not just companies, it’s governments, the military—they all realized they can save a lot of money by using off-the-shelf technology.”

Cybercriminals and State Actors

Authorities in both Canada and the United States say cybercrime is on the rise, threatening national security and public safety as well as economic well-being.
CSE said in a report last year that Canada is vulnerable to attacks from both cybercriminals and states, including China, Russia, Iran, and North Korea.
People's Liberation Army (PLA) soldiers march next to the entrance to the Forbidden City during the opening ceremony of the Chinese People's Political Consultative Conference (CPPCC) in Beijing on May 21, 2020. (Nicolas Asfouri/AFP via Getty Images)
People's Liberation Army (PLA) soldiers march next to the entrance to the Forbidden City during the opening ceremony of the Chinese People's Political Consultative Conference (CPPCC) in Beijing on May 21, 2020. Nicolas Asfouri/AFP via Getty Images

In the case of cybercriminals, the main targets are large companies and critical infrastructure providers, on the assumption that they would be willing to pay hefty sums of money to get back to operation, the report said.

“Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks, and the potentially destructive consequences of refusing payment,” it said.

The report adds that state actors would be looking to develop capabilities to be able to disrupt critical infrastructure, such as to cut off electricity supply.

Although these state actors, in the absence of “international hostilities,” are not likely to launch a cyberattack to cause major damage or loss of life, they may use the potential capability to intimidate other states or to prepare for future activities, the report said.

Foreign actors also harm Canada by conducting cyberespionage against Canadian businesses and stealing intellectual property, as well as by interfering in the internal affairs of Canada, such as running influence campaigns during elections, the report said.

Keenan says both the Canadian and U.S. governments have “active measures” or “hack back” capabilities—the ability to hack an asset belonging to a hostile power—available as tools of retaliation to serve as a deterrent, but they would only be used following great consideration if geopolitical escalation is at risk.

There have been a number of recent cyberattack incidents with suspected hostile foreign power involvement. Late in 2020, U.S. authorities reported a major months-long hacking operation targeting the information technology firm SolarWinds. The prolonged attack compromised the networks of private firms as well as the U.S. government, including the Department of Homeland Security and the Treasury Department. Authorities believe Russia was behind the attacks.

In another case earlier this year, hackers attacked Microsoft Exchange servers, accessing personal records on hundreds of thousands of servers around the world. Microsoft said the operation was carried out by a Chinese “state-sponsored” hacker group.
Canada’s National Research Council’s computer infrastructure was the subject of a major cyberattack by Chinese state-sponsored hackers in 2014. Citing government documents, The Globe and Mail reported that the resulting damage was in the hundreds of millions of dollars.

Prevention

Miliefsky says the best way organizations can guard against future attacks is to assume they’re being breached every day.

“If they can start assuming they’re being breached every day, they would probably take steps to never let it last more than a few minutes, rather than days,” he said.

The SolarWinds logo is seen outside its headquarters in Austin, Texas, on Dec. 18, 2020. (Sergio Flores/Reuters)
The SolarWinds logo is seen outside its headquarters in Austin, Texas, on Dec. 18, 2020. Sergio Flores/Reuters

The Canadian and U.S. governments have taken measures to enhance cybersecurity for critical infrastructure, but recent cases have demonstrated that assets still remain vulnerable to attacks.

In the aftermath of recent attacks, such as the hacking of SolarWinds, the U.S. government is intending to issue an executive order to mandate security enhancements for government contractors.

However, even with these enhancements, an attack like that against SolarWinds wouldn’t have been prevented, says Terry Thompson, an adjunct instructor in cybersecurity at Johns Hopkins University.
Thompson writes in a commentary in The Conversation that a lot of the vulnerability is due to “foreign dependence” and the risks present when the software being used is developed in jurisdictions that our own governments have no control over.

He says more government action is required to thwart the risks from outside.

“[P]reventing ransomware attacks like the Colonial Pipeline attack would require U.S. intelligence and law enforcement to infiltrate every organized cyber criminal group in Eastern Europe,” he writes.

In the case of the SolarWinds incident, there were also some simple things that should have been done better, such as the use of a stronger password for the company’s development server, Thompson notes.

Keenan also says that there should be better cybersecurity education for individuals to enhance security practices and boost defences against phishing attacks.

What would also help in these situations, he adds, is stronger breach notifications when organizations are attacked, rather than hiding the information from the public.

“We should get the best minds working on these,” he says.