Colonial Pipeline crisis casts doubt on existing cybersecurity measures
On May 7, U.S. fuel pipeline operator Colonial Pipeline found itself facing a ransomware attack that forced the company to shut a fuel network down, leading to chaos as major fuel deliveries were disrupted.
Contradicting initial reports made, Colonial was found to have paid nearly US$5 million in ransom to Eastern European hackers, whom the FBI has said are linked to a group called DarkSide, which is composed of veteran cybercriminals and specialises in digital extortion.
In response to the attack, U.S. president Joe Biden declared a state of emergency on May 9, stating, “We’ve put in place emergency orders and allowed states to lift weight restrictions for tank truck drivers to be on the road… This allows those drivers to work more and carry more fuel to the affected regions.”
Colonial eventually relaunched operations on May 13, following a six-day shutdown. However, this has raised concerns about the oil and gas sector’s current state of cybersecurity, and if more should be done to secure refining & petrochemical assets.
Cybercrime thrives during the pandemic
Vijay Vaidyanathan, Regional Vice President – Solutions Engineering, APJ at Claroty, commented, “There has been a recent surge in data breaches and ransomware in varied industry sectors across the ASEAN region. There has also been an increase in Covid-19 related fraud online, which relates to medical and protective equipment. While data breaches have compromised millions of e-commerce user accounts, in the past year, ransomware has hit hospitals, businesses, the aerospace, and engineering sectors.
Multiple countries in the region rely on critical cross-country pipeline infrastructure to feed natural gas to power plants or gas separation plants, supplying varied fuels and raw materials for the downstream petrochemical industry. The diverse and geographically distributed nature of such critical infrastructure provides numerous entry points or footholds for attackers to breach and move between networks.”
Safeguarding ASEAN’s petrochemical industry
“Like the rest of the world,” continued Vaidyanathan, “the ASEAN petrochemical industry operates with a combination of legacy and proprietary industrial systems to run their facilities. These systems are predominantly run on Windows-based supervisory stations which host operating systems that can be unpatched, or even obsolete in some cases. Resident vulnerabilities have been shown to make possible remote code executions (with or without user interventions), and data harvesting. We have seen malware and ransomware designed for IT assets impacting OT assets due to the extent and prevalence of IT in the mission critical OT networks. In the event a system cannot be patched immediately, patching and/or compensating controls are needed.
The lack of continuous monitoring with many petrochemical facility networks means the presence of a small-scale attack may not be easily detected due to the redundancy that gets built into operations. These redundancies typically permit attackers to aggregate and prepare for substantial damage in due course.
To improve the ASEAN region’s petrochemicals industry’s cybersecurity posture, these key areas of concern need to be rapidly addressed. Petrochemical facilities are typically integrated, feeding off each other, so that the rippling effect of ransomware and/or malware proliferation is very easy to imagine.
Many of the petrochemical facilities in the ASEAN region are still in the early stages of properly segmenting their networks, which emphasises the need for continuous monitoring over the currently flatter, and inherently less secure, networks. Plus, a lack of strong authentication controls and provision of remote access to third-party contractors use solutions that are not tailor-built to secure mission-critical networked connections.”
If anything, the data breach at Colonial Pipelines should serve as a warning to the petrochemical sector in the ASEAN region: The significance of strong, reliable cybersecurity cannot be overstated, and time is running out for organisations to improve upon existing measures and stay ahead of threats lurking in the cyberspace.