Skip to content

Ransomware and the Colonial Pipeline Attack

With the recent attack on Colonial Pipeline I’ve been getting questions about Ransomware. These mainly have been ranging from what it is to how to prevent situations like Colonial from happening. I thought it would be a good idea to have a short discussion about this material.

Ransomware is a form of malware that when deployed onto your computer will encrypt your files and tell you that everything has been locked down. To gain control of your data again, you have to pay the sum demanded by the criminals and hopefully, they will then send the all clear to your computer and unlock your data.

More recent variations of Ransomware are network aware and will also spread to encrypt data on any external drives that are connected to your computer, such as USB backup drives as well as things like cloud based storage and of course, network shares to which you are connected.

As the situation with Colonial Pipeline is still evolving as of the writing of this post and the exact specifics of how they are compromised have not been fully disclosed, all we can do is make educated guesses on what’s been reported so far.

Colonial shutdown systems as a safety precaution. This is a good thing to do. If the Ransomware they are afflicted with is network aware, this can contain the problem and limit the damage.

It’s also been reported that this was a targeted attack by a known criminal hacker group.

If you understand how Ransomware usually is deployed onto computers, you could wager a guess as to how it happened. Deployment and infection are achieved through a few methods but those that occur most often are:

  • A user blindly clicking on a link in an email that connects you to a website with the malicious payload.
  • A user blindly opening an attachment to an email that either contains the malicious payload or connects you to a website that then downloads the payload.
  • A user blindly clicking on a link on a compromised website that leads to download of a malicious payload.

So, how did the Ransomware become deployed at Colonial? A guess, an employee may have done one of the a fore mentioned actions.

Is it really that simple? Well, unfortunately, yes. It could have been as simple as someone working in say the billing department clicking on a link on a spam email and the damage is done. What could an office computer in say billing have to do with the pipeline itself?

To answer that question, we would have to dive into something called SCADA ( In simplest terms for those who do not know, SCADA or Supervisory Control and Data Acquisition is a control system architecture that allows you to interface with a manufacturing process and be able to manage it from a computer.

An example of a SCADA could be compared to recent home automation systems. Devices that control the lights and locks of your home or sensors such as temperature or cameras for smart homes. These devices all integrate to provide you observation, home security and control of your heating/cooling. Ironically these same devices, such as camera doorbell systems and smartphone controlled thermostats have had serious security breaches as recently as this past winter.

Industrial SCADA systems are designed to be robust, easy to use and very fast however, they are notoriously lacking in security. Many of the devices in a SCADA operate not with easily up-gradable operating systems. They use a fixed version stored in their firmware, potentially something as old as a little thing called Windows XP Embedded ( Some of these devices you can upgrade by swapping out the smart card but most of the time, the computing resources such as memory and processor, are just too small and not powerful enough to run newer versions of the software.

Think of an older smartphone that doesn’t have the storage nor processor support available to upgrade to the latest version of iOS or Android. You know, that phone you really loved that had great battery life but only runs Android 4.4.

When SCADA systems were being developed over the decades, upgrading wasn’t really a concern. These devices do just one or two things like handle temperature or the flow rate of the pump. Single function computers that did one thing and did it very well.

Think about it. How often would you need to replace the software that runs say your garage door opener? Unless there is some major feature change or a different controller card for the opener motor, you wouldn’t need to do it. The one we have is 15 years old, still works just fine.

So, you have an entire architecture system that is not very secure. Bundle that with the potential for that system to be accessible from an network and it makes an appealing and/or obtainable target. Add to the mix a desktop computer on that same network that an employee uses to monitor the pipeline, utilize email and access to other network based resources. You have a hacker’s dream for exploitation as everything is one place.

What do you do if have a pipeline with a SCADA deployed to maintain all 5,500 miles of that process that needs to suddenly be secure from attack? Upgrade?

Upgrading the that SCADA to make it more secure could be prohibitively expensive, especially if you have custom developed the software that’s running the whole package. Unfortunately this is a common issue with which SCADA systems are burdened. Adding security hardening to such systems in many cases breaks them to the point of being useless.

Aside from ensuring that all your non-SCADA systems have robust anti-virus/malware solutions deployed along with a strict patching compliance process and regular backups, what can you do?

There are many solutions, but I would suggest two that should be undertaken regardless.

  • Employee training and awareness of security issues.
    • This is and/or should be a major, continual component in any security posture you or your organization maintains. Threats change literally daily. Having a training session presentation once a year is simply not enough.
    • Review the current training material as at this point, it’s clear it needs revision or at the very least a strong reintroduction.
      • Something that I’ve found helps with such training is connecting the dots between how this helps the company and how it can help protect the employee.
      • Showing how certain topics are not just for work but for how a person can protect themselves with their personal devices and computers can help with people not only retaining that knowledge, but actually use it every day practice.
    • Perhaps staging false phishing campaigns within the organization.
      • Something that has worked well is an email that is appears to be from an outside source with an offer for a free gift card, such as $25 bucks from Amazon for completing a survey.
      • You setup your internal DNS to redirect that link to the survey in the email to a security training and awareness webpage.
      • If your marketing department has a email distribution list system for sales, you may be able to leverage that for such a campaign.
      • Even if the email comes from an internal email address, such a communication is not something normal and you would hope people would note that it’s “not right”.
    • Have regular communications either by email (irony I know) or announcements on your Intranet on current threats affecting both corporations and individuals can help bolster awareness of potential threats.
    • Monthly reminders of how to grow one’s knowledge of security issues will also help.
  • Isolate the SCADA from the internal day to day operational network. This is the more expensive option but with SCADA systems it should be a must now more than ever.
    • As to how you do this is something that would take some research in your environment. There are many networking solutions that can achieve this goal.
    • One of the best solutions is physical isolation.
      • Go as far as to deploy a second wired only network with zero external network connectivity for the SCADA systems.
      • Yes, those who need to access those SCADA systems do need to do so from a second computer that is only connected to that isolated network and locked down to prevent data transfer on and off the computer.
      • Don’t use “jump boxes”. If you can gain access from your day to day operational network, so can a criminal hacker.
    • There are of course the risks you would expect from having a network in the first place, but proper security practices can reduce those issues dramatically and reduce the attack surface.

Regardless of these suggestions, what should all of us take away from this incident?

  • Maintain system backups and make sure that you have a backup that is offline.
    • At home having a USB backup drive used in coordination with a cloud based backup solution is a good idea. Having a second USB backup drive that you only connect to that computer to backup the data once a month is a good way to cover the bases and can ensure you can recover from a system failure. If your data changes more often, make the offline backups more often to fit your needs.
    • Enterprise level services have solutions for disaster recovery with offline/offsite backups. If you are not using such a service, shop around and find one. In this day and age, it’s a must.
  • Be aware that the contents of any email you receive may be unsafe, even with emails you assume are secure or from a known source.
  • Don’t blindly click a link in an email, document, IM, SMS message etc. regardless of the source. Take the time to examine the link carefully and confirm it’s valid. Make it a habit, force yourself to do this sort of thing until it becomes second nature.
  • Check attachments carefully. If you are have a doubt that it’s safe, assume it’s not safe and reach out to your IT department for help or if that’s not an option, contact the sender to verify that it’s a legitimate attachment.

Until next time…

Spread the love
Published inAttack IncidentsInfoSec