The US government issued emergency legislation after its largest fuel pipeline (the Colonial Pipeline) was hit by a ransomware cyber-attack. The pipeline was swiftly taken offline after the attack that has been widely attributed to the cyber-criminal gang DarkSide.

As well as encrypting the data, Darkside also threatened to leak the data online, if the ransom wasn’t paid. The shutdown disrupted gas supplies along the East Coast and caused panic buying, leaving some gas stations without fuel. Service to the entire pipeline system was eventually restored.

Steve Forbes, government cyber security expert at Nominet, had this to say about the domino effect of CNI attacks on this scale: "The declaration of a state of emergency, due to cyber-attack, could become the new normal. With the largest fuel pipeline in the US grinding operations to a halt, due to a ransomware attack, the attack on Colonial is likely to have a ripple effect across the globe.

"The attack will be a stark reminder of how connected our world now is. While the demand for oil across the US East Coast was evident, the fact that this greatly impacted the financial markets and traders demonstrates that this really was the tip of the iceberg. That's not to mention the fact that the severity of this breach could well worsen, if confidential information is leaked, as the group has threatened.”

Being able to take systems offline and begin a process of restoration is undeniably important, he adds, but warns there is an additional threat, if this data is exposed. “It underlines the importance of international collaboration to bring down these highly coordinated groups early in their development, if we want to protect our critical services.”

Chief product and development officer at Ava Security, Ran Pugach, says the Colonial Pipeline incident highlights the increasing risk that ransomware is posing to critical national industrial infrastructure and the physical consequences that these attacks can have on society. "Especially with more than 90% of attacks involving human error, according to the UK's Information Commissioner's Office, securing critical national infrastructure against social engineering attacks is essential. We've seen similar attacks like this, when the Florida water treatment facility was hacked through TeamViewer.

Steve Forbes, Nominet: declaration of a state of emergency, due to cyber-attack, could become the new normal.

"In order to prevent ransomware attacks like this, organisations need to embrace a new approach built around the user, as the rise of remote working makes us more exposed than ever. Hackers are experts in social engineering and will use whatever information they can to leverage multiple entry points or avenues to achieve their goals. This can be through malicious emails or suspicious websites."

A preventive approach to ransomware protection leverages user education and cyber awareness, Pugach adds. "Installing end-point detection and response tools is a good first step. These solutions are essential in helping not only to salvage the situation, but also to be able to investigate and understand where the vulnerability was and how to prevent it in the future. Nevertheless, such solutions have to be complemented with further safeguards that can capture anomalies, understand and correct user behaviour."

Ransomware attacks such as this one continue to dominate the news, as they remain a popular tactic for cybercriminals, says Dr Francis Gaffney, director - Threat Intelligence & Response, at Mimecast.

"At Mimecast, our recent State of Email Security report found that 61% of businesses worldwide have been affected by ransomware in the past 12 months, which illustrates how common ransomware has become. Attacks like this have the potential to disrupt an organisation and impact its ability to conduct essential operations or provide critical services to the community, which can have significant consequences.

Francis Gaffney, Mimecast: likely that the increase in remote working played a role in this attack.

"Our research found that companies impacted by ransomware lost an average of six working days to system downtime, with 37% saying downtime lasted one week or more. This disruption forces many organisations to pay the ransom and our research shows that 52% of businesses did so. However, only 66% of those were able to recover their data. The remaining 34% never saw their data again, despite paying the ransom."

It is likely that the increase in remote working played a role in this attack, he states. "With the rise of engineers remotely accessing control systems for the pipeline from home, cybercriminals are able to prey on vulnerabilities associated with this way of working to access the organisation's system."

In the past decade, there has been a push to move more and more Operational Technology (OT) systems into the IP world, given that ICS and SCADA networks are often facsimiles in design, components and software, regardless of where they are deployed. "However, the equipment's defences against threats that are common today, such as malicious and recreational hackers, can be lacking, because the dangers did not exist when the systems were first installed," adds Gaffney. "This increased connectivity [for example, via the proliferation of 5G and the IoT/IIOT] makes them more vulnerable to cyber-attack."

Organisations must start investing in cybersecurity preparedness and awareness training, he advises. "From our research, 43% of respondents said that employee lack of cognisance about current campaigns and wider cybersecurity issues is one of their greatest vulnerabilities, and yet only one in five respondents indicated they have ongoing [more than once per month] security awareness training in place. It is recommended that organisations focus on prevention, rather than cure, by implementing strong resiliency measures, and ensure that employees are properly trained in cyber awareness."

Ran Pugach, Ava Security: organisations need to embrace a new approach built around the user.

INADEQUATELY PROTECTED
Gareth Williams, VP, Secure Communications and Information Systems UK at Thales, says the ransomware attack on the Colonial Pipeline is a reminder that the operational technology (OT) that our day-to-day lives rely on is increasingly becoming a target for malicious actors.

"This attack serves to confirm that businesses are not adequately protected when it comes to OT security and must start taking cybersecurity seriously and increase protection across their business," Williams cautions. "However, building a cohesive approach to securing your OT can sometimes be an engineering challenge as much as a cyber one, so teams cannot approach this in the same way they would IT security - it's a different ball game and critical national infrastructure is at stake. "

One of the first steps on this path is identifying where data is held, but also who and what applications, and code, are trusted to access it. "In doing this, rogue code, such as ransomware, will be unable to weave its way onto a database to encrypt it and gain control of the data."