The ransomware attack on Colonial Pipeline, reported over the weekend, is disrupting deliveries of jet fuel to military installations on the east coast of the United States. So far, the pipeline shutdown has not affected military operations, however. According to Peter Hughes, Spokesman for the Assistant to the Secretary of Defense for Public Affairs, “The Defense Logistics Agency is monitoring inventory levels and awaiting any updates from Colonial Pipeline. Sufficient stocks are on-hand for downstream customers and there is no immediate mission impact.” Hughes added that DLA has the ability to leverage alternate supply means to mitigate long term impacts if delays continue.
“Hopefully, the DoD can learn a lesson from this episode,” said retired Air Force general Robert Spalding, author of Stealth War: How China Took Over While America’s Elite Slept. “While nothing bad has happened, yet, we can now see very clearly how the military’s dependence on civilian infrastructure creates vulnerability for the armed forces.” Air Force bases have long shared fuel pipelines with domestic air infrastructure. The same pipeline that supplies McCarran Airport in Las Vegas, for example, provides jet fuel to Edwards Air Force Base.
Colonial, which is one of the largest pipeline operators in the US, has indicated that the attack was only on its business systems. They evidently shut the pipeline down as a precaution. In such attacks, it is common for malicious actors to implant malware in systems other than those that have been directly targeted. At this time, it is impossible to know if the pipeline’s operational software has been affected. The company’s pipeline network provides fuel to over 50 million Americans. The disruption in supply sent gasoline prices higher this week.
Longtime observers of operational technology (OT) are expressing concern over vulnerabilities on display in the attack. As Kudelski Security CEO Andrew Howard put it, “Every day, more and more non-IT systems, such as pipelines and manufacturing floors, are connected to the internet for convenience, better performance and remote management. Cybersecurity is no longer just an IT issue, it impacts every electronic system. While IT environments are rarely perfectly secured, they get all of the attention. These non-IT systems are often the soft underbelly of many corporate networks. They are more difficult to secure and becoming more interconnected every day.”
Colonial hired Mandiant, a division of FireEye, to investigate. The FBI and Critical Infrastructure Security Agency (CISA) are also working with the company to determine the source of the attack and remediate the damage. The source of the attack has not been confirmed. However, according to government sources, the Eastern European cybercrime gang, DarkSide, is the leading suspect. It is not clear who, if anyone is behind DarkSide. Sometimes, such criminal gangs operate with the consent of nation state actors or even at the direction of their security services. Having a criminal group carry out an attack on another country, intelligence services preserve deniability.
Cybersecurity industry experts are weighing on what can be done to prevent the next attack of this kind. According to new analysis from Ric Longenecker, CISO at Open Systems, which provides a platform for the Secure Access Service Edge (SASE) featuring zero trust network access (ZTNA), “Cybersecurity investment and partnership today may reduce the impact of similar events in the future. Managed detection and response services in combination with technologies like Microsoft’s IoT Solution CyberX are within reach. Moving in this direction is the best course of action.”
Gary Kinghorn of Tempered Networks similarly spoke to the potential for Zero Trust in this kind of situation. He said, “Zero Trust can greatly mitigate the damage that can be done once a user or host is compromised. Lacking Zero Trust, the compromised host can likely navigate to critical infrastructure where it can do real damage. Zero Trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized.”
Guy Caspi, CEO and Co-Founder of Deep Instinct, offered this take: “The government should learn from countries that have built up cybersecurity programs that are stopping threats/tactics like those used against the U.S. For example, other nations execute protection in a multi-layer approach. In these cases, it’s not enough for malicious actors to break through one layer, because the next software is already waiting there. And underneath that, the next one. One product or solution is simply not enough. By implementing a layered approach to cybersecurity, including the use of groundbreaking technology like deep learning to prevent attacks, will make breaking through the U.S.’ protective shield like Mission Impossible.”