Your Network Has Been Locked
This message appearing on a computer screen is every company’s nightmare. While the details continue to trickle out, one thing is clear, the Colonial Pipeline operation stopped. Indications are that the ransomware attack was likely caused by a cybercriminal gang that managed to infiltrate Colonial Pipeline’s network and lock the data on some computers and servers.
Providing OT visibility through monitoring is paramount in keeping the operations running. Whether the OT side was compromised from the IT side of the business or not, what we do know is that the operation was shut down because of the inability to ensure a safe and secure production.
- Dino Busalachi, CTO Velta Technology
As more engineers remotely access control systems for the pipeline from home, login credentials for remote desktop software become targets for compromise. Sources state that through the attack they tried to take almost 100 gigabytes of data hostage, threatening to leak it onto the internet. They then demanded ransom for release of the data. The cloud computing system the hackers used to collect the stolen data was taken offline on Saturday, Reuters reported.
The Colonial Pipeline carries 2.5 million barrels a day representing 45% of the East Coast’s supply of diesel, petrol and jet fuel. They have stated that they are continuing to dedicate vast resources to restoring pipeline operations quickly and safely. This incident highlights the risk ransomware poses to critical national industrial infrastructure in addition to traditional businesses.
Within an organization the responsibility for the IT systems and operational production are usually managed by two separate teams. Owners of operations take on the responsibility for safe and reliable production. Operations represent the ‘cash register’ and safety center of the company. What appears to be the situation in this case, is that production was impacted by an IT compromise and the operational side of the business was not comfortable (whether compromised or not) to continue.
Given the trends in cyber activity, businesses and critical infrastructure entities need to take steps to protect and ensure continued operations in the event of an eventual or attempted compromise. Whether out of caution (the unknown) or actual compromise (the known) the impact of the operational shutdown is the same. Answer the ‘we don’t know’ with active monitoring in an industrial environment, keep operations running with visibility of the known.
Colonial Pipeline stated that personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline following the attack. This clearly indicates the need for more proactive continuous monitoring and detection.
We have multiple ways of protecting critical infrastructure companies as well as manufacturing companies from unfortunate events such as these. We encourage every company to be proactive rather than reactive. We stand behind the statement and deliver solutions to help you ‘Get Safer Sooner.’