Looking back on the Colonial Pipeline hack
It’s been one year since Colonial Pipeline was infamously hacked, creating fuel shortages, driving up gas prices, and creating a state of emergency. We’ve dug into this hack many times before, but looking back on one of the biggest critical infrastructure attacks shows us both why this cyber incident is so important and how organizations should move forward with their cybersecurity strategies after the many lessons learned from the attack.
Why is the Colonial Pipeline hack important?
It had real-world consequences
While this wasn’t the first attack on critical infrastructure, it was one of the first to capture the attention of people outside the cybersecurity industry, and launched a federal investigation. It caused gas prices to rise in the Southeast and had IT and security professionals wondering how such a large-scale hack happened in the first place. It brought a lot of attention to ransomware, primarily due to the $4.4 million ransom Colonial Pipeline had to pay, and even more awareness of criminal and nation-state groups like DarkSide (the group that attacked the pipeline) that are attacking critical infrastructure, manufacturing, and beyond.
It showed how targeted critical infrastructure actually is
In 2021, 649 critical infrastructure entities were hit with ransomware, according to the FBI. Supply chain and critical infrastructure organizations are at a higher risk of being targeted by bad actors because of the size of the impact a hack could have and the urgency associated with paying a ransom. If these types of organizations are attacked, it creates a waterfall effect that can damage one company or supply chain part after another. Attackers can target just one organization but reap the benefits of hacking several parts within that organization’s supply chain. That waterfall effect creates an urgency in remediating an attack immediately before the repercussions reach any other parts of the supply chain and cause costly downtime, revenue loss, or reputational damage — all of which Colonial Pipeline suffered at the hands of DarkSide.
It changed the way the government thinks about cyberattacks
The Colonial Pipeline hack was not just a wake-up call for businesses, but also for the federal government. Shortly after the pipeline was hacked, the Biden administration announced its first Executive Order on cybersecurity. Since then, several orders, mandates, and policies have been created and enacted to protect critical infrastructure and supply chain organizations. The policies include reporting regulations and best practices for securing and granting internal and external access to critical assets.
It displayed clear vulnerabilities in security strategies
The Colonial Pipeline hack also served as one of the biggest examples of “what not to do” in cybersecurity. About a month after the hack occurred, it was reported that the cyber criminals hacked into Colonial Pipeline using an old VPN account password and a lack of authentication controls. It doesn’t take an InfoSec professional to know that more authentication is needed. But when you’re responsible for the security of an entire pipeline, implementing complex technology can seem like a better idea in theory than in implementation. But proper security technology is exactly what was needed, no matter how complex. And in the end, it would’ve been worth the time and investment to proactively secure the pipeline rather than being the victim of one of the most consequential cyberattacks in history.
What did we learn from the Colonial Pipeline hack?
VPNs can’t be trusted
An old, inactive VPN account of a former employee was the gateway for the attack. VPNs are already ineffective methods of remote access since they can’t deploy fine-grained access controls as effectively to put the brakes on a nefarious user moving through a remote access connection. When they’re left untouched, not deprovisioned, and not managed properly, it’s the perfect hacking storm, especially if they have stolen or cracked the password.
Access needs to be regularly reviewed
Regular access reviews keep companies accountable for deprovisioning accounts and access of former employees by making IT teams, managers, and supervisors look at individual access rights and determining if they’re needed. If user access was regularly reviewed, the Colonial Pipeline IT team would’ve seen that this employee doesn’t work there and therefore, doesn’t need a VPN account. This is just one practice that helps all organizations prevent issues like this where an attacker could exploit old access points to gain entry into critical systems.
Credential management needs to be taken seriously
DarkSide got hold of a compromised password that led to the inactive VPN to get into the pipeline’s system. By now, we’ve all seen enough security training videos to know proper password protocol. And at an organizational level, credential management should be streamlined with privileged access management tools or other effective means of protecting credentials. With PAM tools, passwords can be vaulted so they’re safely stored and only authorized users can request the password, rotated so the password is never the same for a long period of time, and masked when in use so the user who has the password never actually sees it. Ideally, the VPN account wouldn’t have existed, but if credential management was in place, the password would’ve been not compromised and/or different than the original password and DarkSide wouldn’t have gained access.
Authentication, fine-grained access controls, and access governance can prevent the movement of an attack
Once DarkSide hit “Enter,” they were in the pipeline’s system. There weren’t any other login requirements or authentication methods — just a password. This was the fatal flaw of the hack. Multi-factor authentication is purposefully built to make sure the user logging into a critical system is the same user that the account belongs to. If that user doesn’t pass the authentication “tests,” they’re not granted access. Even though it’s an unfortunate and wide-scale example, Colonial Pipeline reinforces the importance of implementing MFA and having fine-grained security controls (like access notifications that could’ve alerted an IT team member) in place to secure critical access points. Once passed the access point, the attackers were able to move freely throughout the system — a problem that could’ve been prevented with access governance. Access governance sets the rules around who can access what systems, and in this case, it would’ve limited the former employee’s access to only the systems and applications he was permitted to access. If the access was segmented, the attack wouldn’t have been a threat to other parts of Colonial Pipeline’s infrastructure. But since their movement couldn’t be stopped, there was greater urgency to pay the ransom, fix the systems, and prevent any additional downtime and loss of production.
How do we move on after the Colonial Pipeline hack?
At a bare minimum, every organization learned one thing from the Colonial Pipeline attack — one breach can have catastrophic consequences. But the biggest takeaway is that businesses have to do something. Implementing stronger access controls, regular access reviews, credential management, and authentication protocols are just a few ways to secure critical assets and systems. Using a combination of these tools — and better yet, finding software and technology that can streamline multiple forms of security — can lead to a more robust security posture and give businesses confidence that they won’t be the next big headline.