Learning from the Colonial Pipeline Hack: 4 Ways to Mitigate the Risk of a Ransomware Attack

On May 7, Colonial Pipeline discovered they were hit with a ransomware attack. Three days later, the FBI confirmed that a ransomware group known as DarkSide was responsible for the attack, which caused the company to proactively shutdown 5,550 miles of pipe. This shutdown has inflicted panic on the east coast, causing a gasoline shortage in several different states. 

While the technical details of the attack are still unknown, here's a breakdown of ransomware attacks, what made Colonial Pipeline susceptible, and what you can do to protect your company from a similar situation.

What is the Colonial Pipeline?

Founded in 1962, Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons or 2.5 million barrels per day of fuel. Specifically, Colonial transports various gasoline, diesel fuel, home heating oil, jet fuel, and fuels for the U.S. military through a pipeline system. The midstream Oil and Natural Gas company, based out of Alpharetta, Georgia, is responsible for roughly 45% of East Coast's fuel.

The Colonial Pipeline Cyber Attack

The technical details are still unknown and will likely remain unknown until an investigation occurs, but here's what we know now. 

Colonial Pipeline released a public statement that read, "on May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems." They immediately brought in a cybersecurity firm, FireEye, to help combat the attack.

Ransomware is a malicious program that encrypts data on your device and typically demands a payoff in return for the decryption key. An epidemic of ransomware attacks has gotten so numerous that Biden administration officials recently deemed them a national security threat. 

Robert Weiss, Head of Information Security at OpenVPN, says, "Ransomware is very prevalent because it is so hard to prevent. To prevent ransomware from being successful, an enterprise needs to deploy a wide range of controls including network separation, EDR, anti-phishing controls, and training and have a mature cybersecurity program."

Although ransomware attacks are not entirely preventable, there are steps you can take to mitigate the risk of attack.

Preventing a Ransomware Attack

"Every company needs to understand that they are a target," Weiss explains. "Every company should understand their current state of cybersecurity and have a plan to address any deficiencies and recover business processes should ransomware infect company computers."

It's those that are caught off guard that have a difficult time recovering. Here are some actionable steps you can take today to mitigate your risk of attack (or better prepare for when it does occur):

1. Review your existing segmentation and preventative controls to make sure they're still functioning. If not, consider revamping them.
2. Maintain robust backup systems and a process to restore them should ransomware or any other attack destroy those systems.  
3. Be aware of the risk from your suppliers. Consider what plans you need to have in place should third parties you work with be affected by ransomware or other cyber-related attacks.
4. Review and document the dataflow of any of your company’s critical business system applications that are reliant on operational technologies (OT) communications.

One last thought from Weiss: "The biggest misconception of ransomware is that you are not a target. These attacks are targets of opportunity. They are always scanning for vulnerable systems on the internet. Nobody is immune." 

Multi-layered security, backups, disaster recovery — all of these are essential, but it’s important to remember that there is no silver bullet. However, there is vigilance, and planning for when, not if, your company is attacked. 

As Chris Kreb puts it, every CEO should be holding a meeting this week in light of the attack.