Ransomware disrupts energy. It could get worse – Thursday, June 17, 2021 – www.eenews.net
A month after a ransomware cyber attack shut down his company’s 5,500-mile pipeline system, Joseph Blount delivered a clear message to Congress: it could have been worse.
The CEO of Colonial Pipeline Co. told lawmakers last week that the decision to shut down the fuel network – which supplies nearly half of the gasoline used on the east coast – has prevented Russian-based hacking group DarkSide to “cause even more damage”.
Blount’s comments highlight a long-standing fear that has captured President Biden’s attention: the risk that ransomware, which locks down victims’ computer networks and demands payment for the key, spread to sensitive computer systems that manage pipelines or the electricity grid.
Cyber security experts say recent ransomware disruptions reveal a harsh lesson that the threat is likely to persist: Hackers can have drastic impacts on physical systems like fuel pipelines, even if they don’t touch than billing, communication or other seemingly less vital networks. And ransomware attackers can infect exposed computers without even wanting to target the operational technology or OT networks that underpin the grid and other critical infrastructure.
“It doesn’t matter what impact it will have if it all stops,” Nathan Brubaker, senior director of analysis at cybersecurity firm Mandiant Threat Intelligence, told E&E News.
Biden said yesterday he called Russian President Vladimir Putin about recent ransomware attacks on US energy at a much-anticipated meeting in Geneva. At a press conference, Biden said he presented the Russian leader with a list of 16 critical infrastructure sectors, from energy to water, which “should be banned during times of attack, by cyber or by any other means “.
The White House launched a 100-day network security plan in April that focuses on increasing the visibility and protection of industrial networks. The Justice Department also recently launched a ransomware task force.
But yesterday the spotlight was on Biden’s meeting with Putin, although U.S. intelligence officials say they don’t believe the Russian government was directly involved in the colonial hack.
“I watched [Putin] and I said, “How would you feel if ransomware took over your oilfield pipelines?” “, Biden said. “He said it would matter. It is not just a matter of our personal interest. This is in our mutual interest. “
Some of the most prolific ransomware operators to hit American companies, including DarkSide, are said to be operating in shelters in Russia. Hackers are largely free to launch attacks as long as they don’t target Russia or its allies, according to US intelligence officials.
Biden said he and Putin agreed to assign experts from both countries to “work on a specific understanding of what is off limits” to cyber attacks and highlight instances where hackers reside in either. country.
Putin, meanwhile, said in a separate press conference that the two countries had agreed to begin “consultations” on cybersecurity issues, but denied having played a role in the recent cyber breaches.
U.S. pundits and lawmakers are largely skeptical of the Kremlin’s intentions to crack down on hackers, some of whom are believed to be moonlighting for Russian government cyber operations.
This reluctance is not lost on Biden, who said that “we will find out if we have a cybersecurity deal that starts to clean up.”
Asked about a potential US response to Russian cyber attacks on critical infrastructure, Biden said that “I pointed out to [Putin] that we have significant cybernetic capacity. He knows it.”
“If in fact they violate these basic standards, we will respond,” Biden said.
“A brutal approach”
Colonial identified the ransomware attack on its own networks at 5 a.m. on Friday, May 7, Blount said in testimony last Tuesday before the Senate Committee on Homeland Security and Government Affairs (Energy wire, June 9). Less than an hour later, employees began the process of shutting down a pipeline system that spans 13 states and the District of Columbia. The next day, Colonial made the controversial decision to deliver the DarkSide hackers nearly $ 5 million in Bitcoin digital currency in exchange for a tool to unlock hacked computer files, although the FBI was later able to recover most of it. part of the ransom payment.
Blount and some cyber experts have warned that if the ransomware spread across Colonial’s OT networks, the fallout could have been much worse, with the Colonial pipeline going offline for weeks instead of days.
“Shutting down an industrial system in a safe and predictable manner is always better than having the industrial system fail on its own, because commissioning that system can be nearly impossible,” said Sergio Caltagirone, vice president of threat intelligence for the industrial cybersecurity company Dragos Inc..
Blount told lawmakers that Colonial was unable to fully restore some of its financial systems until last week.
But for the physical infrastructure that provides essential services like power or fuel, any shutdown is a major event with potentially far-reaching consequences, leaving ransomware gangs disproportionately leverage against their victims.
“Today we are taking a more brutal approach to the problem, which shuts down the entire system” in response to significant intrusions, said Leo Simonovich, vice president and global head of industrial cybersecurity and digital security at Siemens Energy AG.
This is a problem not only for energy, but for any industry that depends on both IT and OT for its operations. This fact is not lost on ransomware operators, experts say. While some gangs publicly avoid attacks on certain essential services like health care, others are much less discriminating.
Brubaker said that, in his experience, the most common factor that disables operations is not a successful ransomware attack on the OT side, but rather on the logistics side. Freezing billing systems or delivery schedules can easily cripple production, providing more than enough motivation for a business to pay the ransom.
Ransomware hackers have little financial incentive to learn about complex OT networks, which can feature decades-old equipment and company-specific network configurations, experts say. An infection on the computer side is a threat enough to a company’s production that more complex ransomware is not needed.
However, Caltagirone says they “absolutely” see ransomware operators targeting OT environments.
Caltagirone gave the example of “EKANS“ransomware that has industrial control system processes on a so-called deletion list of target files to be encrypted. The ransomware was discovered early last year, and although it is considered relatively basic, the discovery has raised concern that it may be the first signs of a disturbing trend.
Since its exposure, the toolkit has not been updated with new processes focused on the control system, indicating that it was likely an impromptu decision to add them in the first place, a declared Caltagirone.
Ransomware variants like EKANS are still rare compared to the many IT-focused, constantly evolving strains of ransomware.
“The challenge is that sometimes they build EO-specific capabilities into their tools, but often they don’t need it,” Caltagirone said.
When a hacker dives into a business and searches for the most vulnerable point to strike, they may not differentiate between IT and OT, Brubaker said.
“Actors don’t see IT / OT – they see networks and money,” Brubaker said.
And when operational networks are infected, cleanup can take months.
OT systems are much more “complex and fragile,” Brubaker said.
“Maybe you don’t have any backups and it’s going to take you eight months to get a replacement for some sort of [software product] it doesn’t exist anymore, ”said Brubaker.
The danger of ransomware is compounded by the trend for greater connectivity in the U.S. energy sector, which experts say is increasing the number of ways a hacker can infiltrate a system.
Manny Cancel, senior vice president of North American Electric Reliability Corp. and CEO of the Electricity Information Sharing and Analysis Center (E-ISAC), said that increased digitization “simply exacerbates” the risk posed by hackers, because “it’s easier for the bad guy to get in through the carries because there are more ways to attack. “
Cancel said NERC hasn’t seen a recent surge in ransomware focused on the OT attack, but that doesn’t mean the threat doesn’t exist. Cancel said that E-ISAC, the electricity sector’s hub for raising awareness of urgent cyber threats, saw its membership increase by 25% last year and will likely exceed those numbers this year.
“We know that there are ransomware services and vendors that have the ability to cause some sort of direct disruption on OT systems. By OT I mean all critical infrastructure, not just electricity,” said Cancel.
The recent wave of cyber attacks, from the massive SolarWinds cyberespionage campaign linked to Russia to the high-profile hack of the Microsoft Exchange messaging platform, has “underscored the need to maintain situational awareness and information sharing.” , Cancel said.
Digitization of the grid has been going on for years, but it’s only now that some of the implications for cybersecurity are emerging. The future network is expected to include thousands of remote connection points, from solar panels to electric vehicle chargers, operating in synchronization through digital channels.
“We are striving to achieve energy efficiency, we are striving to decarbonize, we are striving to be more distributed,” said Simonovich of Siemens Energy. “All of this is real, and this energy transition is accelerating with the connectivity of computers at the core, and we need to make it more secure.”