After Colonial Pipeline, Vital Infrastructure Operators Stay Blind to Cyber-Dangers

BLACK HAT USA — Las Vegas — The unprecedented ransomware assault towards Colonial Pipeline final 12 months reveals that vital infrastructure operators have made little progress in defending their networks 12 years after the invention of Stuxnet. Writer and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline throughout the keynote session opening the second day of Black Hat USA, its leaders had loads of warnings that might have prevented the crippling assault.

Zetter, who has coated many main cyber-incidents over greater than 20 years, is writer of the ebook Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown: 2015). Stuxnet, the malicious worm that safety consultants found at an Iranian uranium enrichment facility in 2010, was explicitly focused on the Siemens S7-400 system. The invention heralded a brand new era of focused assaults, in response to Zetter.

“When Stuxnet was found in 2010, it shed a lightweight on vulnerabilities and significant infrastructure that few had seen earlier than,” Zetter stated. “The safety group largely targeted on IT networks. That they had beforehand ignored what are often called operational networks, OT networks, industrial management techniques, all of these techniques that handle pipelines and railways and the electrical grid and water therapy crops and manufacturing, and so many different pivotal industries.”

Stuxnet was extra important for what it portended than any injury ensuing from it on the time. Launched to a community by way of a USB drive, Stuxnet consists of worming malware, a Home windows LNK file designed to propagate it, and a rootkit that hides the malicious recordsdata.

Additionally in 2010, the invention of a sophisticated persistent risk (APT) known as Aurora uncovered the rising capabilities of nation-state hackers, Zetter famous.

The invention of Stuxnet shouldn’t have come as a shock again then, however it opened some eyes for the primary time, in response to Zetter.

“Stuxnet offered stark proof that bodily destruction of vital infrastructure utilizing nothing greater than code was doable,” she stated. “However nobody ought to have been stunned. There have been warnings about using digital weapons to disrupt or destroy vital infrastructure a decade previous to Stuxnet.”

Zetter stated the influence of Stuxnet was important, pointing to 4 main adjustments it dropped at safety. Stuxnet created a trickle-down impact within the type of methods and instruments, kicked off right now’s cyber-arms race, established the politicization of safety analysis and cyber-defense, and it make clear the vulnerability of vital infrastructure.

Coinciding with Stuxnet was the invention of Aurora, Zetter underscored. “Lots of you in all probability bear in mind this was a widespread espionage marketing campaign by China that hit 34 corporations and focused supply code repositories of Google, Adobe and Juniper,” she stated. “And [it] included one of many first important supply-chain operations focusing on the RSA C repository, the engine for its multifactor authentication techniques,” she stated.

Dangers Stay Excessive for Industrial Management Methods

The high-profile assault that locked up Colonial Pipeline, which distributes 45% of gasoline throughout the US East Coast, compelled it to close down its 5,500 miles of pipeline till it paid over $4.4 million in ransom. Zetter advised there is no such thing as a motive final 12 months’s ransomware assault ought to have blindsided the corporate’s high leaders.

“What occurred with Colonial Pipeline final 12 months was foreseeable, as was the rising risk of ransomware,” Zetter stated. “As the corporate CEO informed lawmakers on Capitol Hill months later, though it did have an emergency response plan, that response plan didn’t embody a ransomware assault, despite the fact that ransomware attackers had been focusing on vital infrastructure since 2015, so the indicators have been there if Colonial Pipeline had appeared.”

Simply two years earlier, Zetter pointed to Vital Infrastructure Ransomware Assaults (CIRA) statistics compiled by Temple College in 2019, simply two years earlier than the Colonial Pipeline assault. The researchers counted some 400 ransomware assaults on vital infrastructure in 2020 and 1,246 assaults between November 2013 and July 31, 2022.

“These weren’t simply assaults on hospitals, which after all had been a giant goal for ransomware actors in 2016,” she stated. “However these have been additionally focusing on oil and fuel amenities. And the attackers weren’t simply focusing on IT techniques. They have been already going after the OT networks which might be controlling the vital processes.”

Additional, Zetter famous that in 2020, the 12 months earlier than the Colonial Pipeline assault, Mandiant reported that seven ransomware households had struck organizations that function industrial management techniques since 2017. The assaults created main disruptions and manufacturing and supply delays.

Additionally in 2020, 10 months earlier than the Colonial Pipeline assault, the Cybersecurity & Infrastructure Safety Company (CISA) issued a reminder of the Division of Homeland Safety’s (DHS) Pipeline Cybersecurity Initiative. The trouble, created by DHS in 2018, was a joint effort of CISA, the Transportation Safety Administration (TSA) and varied federal and personal sector stakeholders.

Zetter indicated that it’s in all probability not ironic that DHS introduced new cybersecurity necessities for many who personal and function vital pipelines two months after the Colonial Pipeline assault. “I don’t imply to beat up on Colonial Pipeline, they’re only a handy instance, as a result of the assault was so important,” she stated. “However different vital infrastructure is in the identical place or worse.”