Letzte Aktualisierung am 25. Mai 2021.
An attack has crippled the company’s operations—and cut off a large portion of the East Coast’s fuel supply—in an ominous development for critical infrastructure.
FOR YEARS, THE cybersecurity industry has warned that state-sponsored hackers could shut down large swathes of US energy infrastructure in a geopolitically motivated act of cyberwar. But now apparently profit-focused cybercriminal hackers have inflicted a disruption that military and intelligence agency hackers have never dared to, shutting down a pipeline that carries nearly half the fuel consumed on the East Coast of the United States.
On Saturday, the Colonial Pipeline company, which operates a pipeline that carries gasoline, diesel fuel, and natural gas along a 5,500 mile path from Texas to New Jersey, released a statement confirming reports that ransomware hackers had hit its network. In response, Colonial Pipeline says it shut down parts of the pipeline’s operation in an attempt to contain the threat. The incident represents one of the largest disruptions of American critical infrastructure by hackers in history. It also provides yet another demonstration of how severe the global epidemic of ransomware has become.
„This is the largest impact on the energy system in the United States we’ve seen from a cyberattack, full stop,“ says Rob Lee, CEO of the critical-infrastructure-focused security firm Dragos. Aside from the financial impact on Colonial Pipeline or the many providers and customers of the fuel it transports, Lee points out that around 40 percent of US electricity in 2020 was produced by burning natural gas, more than any other source. That means, he argues, that the threat of cyberattacks on a pipeline presents a significant threat to the civilian power grid. „You have a real ability to impact the electric system in a broad way by cutting the supply of natural gas. This is a big deal,“ he adds. „I think Congress is going to have questions. A provider got hit with ransomware from a criminal act, this wasn’t even a state-sponsored attack, and it impacted the system in this way?“
The Colonial Pipeline shutdown comes in the midst of an escalating ransomware epidemic: Hackers have digitally crippled and extorted hospitals, hacked law enforcement databases and threatened to publicly out police informants, and paralyzed municipal systems in Baltimore and Atlanta.
In fact, ransomware operators have increasingly had industrial victims in their sights in recent years. Hydro Norsk, Hexion, and Momentive were all hit with ransomware in 2019, and security researchers last year discovered Ekans, the first ransomware apparently custom-designed to cripple industrial control systems. Even targeting a gas pipeline operator isn’t entirely unprecedented: In late 2019, hackers planted ransomware on the networks of an unnamed US natural gas pipeline company, the Cybersecurity and Infrastructure Security Agency warned in early 2020—though not one of the size of Colonial Pipeline’s.
In that earlier pipeline ransomware attack, CISA warned that the hackers had gained access to both the IT systems and the „operational technology“ systems of the targeted pipeline firm—the computer network responsible for controlling physical equipment. In the Colonial Pipeline case, it’s not yet clear if the hackers bridged that gap to systems that could have actually allowed them to meddle with the physical state of the pipeline or create potentially dangerous physical conditions. Merely gaining broad access to the IT network could be cause enough for the company to shut down the pipeline’s operation as a safety precaution, says Joe Slowik, a threat intelligence researcher for security firm Gigamon who formerly led the Computer Security and Incident Response Team at the US Department of Energy. „The operator did the right thing in this case as a response to events,“ Slowik says. „Once you can no longer assure positive control over the environment and clear visibility into operations, then you need to shut it down.“
Ransomware intrusions that can reach those operational technology systems are far more rare than those that merely target IT networks. But Lee says Dragos has seen a growing number of ransomware groups working to infect the OT systems that control industrial and manufacturing equipment, with the aim of totally disrupting their victims‘ operations.
Update 25.05.21: New details emerging about decision to shut pipeline
Meanwhile, new details are emerging about Colonial’s decision to proactively shut down its pipeline last week, a move that has led to panic buying and massive lines at gas pumps.
The company halted operations because its billing system was compromised, three people briefed on the matter told CNN, and they were concerned they wouldn’t be able to figure out how much to bill customers for fuel they received.
One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said. Asked about whether the shutdown was prompted by concerns about payment, the company spokesperson said, „In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.„
At this time, there is no evidence that the company’s operational technology systems were compromised by the attackers, the spokesperson added.
Siehe auch Lieferkettenprobleme und -ausfälle.
Die Update-Meldung hat leider wieder einmal bewiesen, dass Cyber-Angriffe gerne übertrieben dargestellt werden und vom eigenen Versagen ablenken sollen. Die Versorgung ist nur deshlab zusammengebrochen, weil man den Treibstoff nicht kostenlos abgeben wollte … Das dürfte wohl noch einige rechtliche Folgen haben. Siehe auch Fefes Blog (deutscher Sicherheitsblogger)