The incident serves as a sign of things to come if cybersecurity isn’t taken more seriously, due to increased connectivity in industrial and critical infrastructure, says Thomas Keenan, a cybersecurity expert and professor at the University of Calgary.
“It could happen in Canada. We have pipelines. We have the same equipment that they have in the United States,” Keenan said in an interview, adding that, similar to the United States, Canada can do little to deter rogue players in non-allied foreign countries.
The pipeline was the target of a cyberattack on May 7 involving ransomware, a type of malicious software that allows hackers to take control of computerized systems and to demand payment for releasing control. In response, Colonial pre-emptively shut down the pipeline.
A spokesperson with the Communications Security Establishment (CSE), Canada’s IT security and foreign signals intelligence agency, said that the CSE is monitoring the impact of the Colonial Pipelines cyberattack.
Increased Connectivity
Gary Miliefsky, a cybersecurity expert and publisher of Cyber Defense Magazine, says that with advances in connectivity capabilities, there are now more inherent vulnerabilities in industrial systems and critical infrastructure.“Operational technology, or OT, is now merging with information technology, or IT,” Miliefsky said in an interview. “With very simple commands you can cause two trains to collide.”
According to Keenan, the Colonial Pipeline incident is the highest-profile attack experienced so far involving the internet of things, or IoT, referring to connectivity of devices around the world.
He says a major reason for incidents like this is that cybersecurity and protection measures haven’t kept up with tactics used by criminals.
A key contributing factor, he says, is increased use of “off-the-shelf technology” by companies. Using widely available equipment rather than custom-made equipment saves companies considerable cost, but the problem is that wide use means more vulnerabilities can be identified and exploited.
“When pipeline companies had very specialized controllers that were made just for them and nobody else could get them, it was a lot harder to find out what the vulnerabilities were,” Keenan said.
Cybercriminals and State Actors
Authorities in both Canada and the United States say cybercrime is on the rise, threatening national security and public safety as well as economic well-being.In the case of cybercriminals, the main targets are large companies and critical infrastructure providers, on the assumption that they would be willing to pay hefty sums of money to get back to operation, the report said.
“Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks, and the potentially destructive consequences of refusing payment,” it said.
The report adds that state actors would be looking to develop capabilities to be able to disrupt critical infrastructure, such as to cut off electricity supply.
Although these state actors, in the absence of “international hostilities,” are not likely to launch a cyberattack to cause major damage or loss of life, they may use the potential capability to intimidate other states or to prepare for future activities, the report said.
Foreign actors also harm Canada by conducting cyberespionage against Canadian businesses and stealing intellectual property, as well as by interfering in the internal affairs of Canada, such as running influence campaigns during elections, the report said.
Keenan says both the Canadian and U.S. governments have “active measures” or “hack back” capabilities—the ability to hack an asset belonging to a hostile power—available as tools of retaliation to serve as a deterrent, but they would only be used following great consideration if geopolitical escalation is at risk.
There have been a number of recent cyberattack incidents with suspected hostile foreign power involvement. Late in 2020, U.S. authorities reported a major months-long hacking operation targeting the information technology firm SolarWinds. The prolonged attack compromised the networks of private firms as well as the U.S. government, including the Department of Homeland Security and the Treasury Department. Authorities believe Russia was behind the attacks.
Prevention
Miliefsky says the best way organizations can guard against future attacks is to assume they’re being breached every day.“If they can start assuming they’re being breached every day, they would probably take steps to never let it last more than a few minutes, rather than days,” he said.
The Canadian and U.S. governments have taken measures to enhance cybersecurity for critical infrastructure, but recent cases have demonstrated that assets still remain vulnerable to attacks.
In the aftermath of recent attacks, such as the hacking of SolarWinds, the U.S. government is intending to issue an executive order to mandate security enhancements for government contractors.
He says more government action is required to thwart the risks from outside.
“[P]reventing ransomware attacks like the Colonial Pipeline attack would require U.S. intelligence and law enforcement to infiltrate every organized cyber criminal group in Eastern Europe,” he writes.
In the case of the SolarWinds incident, there were also some simple things that should have been done better, such as the use of a stronger password for the company’s development server, Thompson notes.
Keenan also says that there should be better cybersecurity education for individuals to enhance security practices and boost defences against phishing attacks.
What would also help in these situations, he adds, is stronger breach notifications when organizations are attacked, rather than hiding the information from the public.
“We should get the best minds working on these,” he says.