It’s been a year since Colonial Pipeline, the largest fuel pipeline in the U.S., suffered a ransomware attack resulting from a single compromised password. DarkSide, the hackers responsible for the attack, stole nearly 100 gigabytes of data and threatened to leak it unless their demand of $4.4 million was paid.

Colonial Pipeline paid the ransom ($4.5 million) to get their data back, and approximately $2.2 million was later recovered by the Department of Justice.

The ransomware attack disrupted Colonial Pipeline operations and the wider oil supply chain in the U.S. The hack opened up the conversation of how the government and companies must be more diligent about protecting critical infrastructure and addressing vulnerabilities. Just days after the cyberattack, U.S. President Joe Biden issued the cybersecurity executive order (E.O.), designed to dramatically increase public and private partnerships and improve overall cyber resilience, incident response and business continuity for potential cyberattacks on U.S. critical infrastructure. 

Here, several security leaders reflect on the attack, lessons learned and best practices to protect against cybersecurity risks facing enterprises.

 

Gal Helemski, CTO & Co-Founder, PlainID

“The Colonial Pipeline ransomware attack was yet another high-profile example of compromised credentials being leveraged to exploit a previously believed to be secure infrastructure. As a result, security protocols must evolve to keep pace with dynamic threats across distributed computing environments. The emergence and adoption of a zero-trust architecture is a prime example of how firms are attempting to keep pace. At the core of a zero-trust architecture is the inclusion of authorization policies that extends access controls past traditional network access security throughout the lifecycle of the digital journey.”

 

Mark Carrigan, VP of Process Safety and O.T. Cybersecurity, Hexagon PPM:

“Perhaps the biggest lesson learned from the attack on Colonial Pipeline is that critical infrastructure owners/operators must assume they are going to be hit by a cyberattack, and the ability to fully recover quickly is critical to the safety of operations and the financial stability of the business. 

The top three questions that security risk managers must be able to answer are: 

  1. Can the business produce and deliver products if the I.T. or O.T. network is compromised?
  2. If operations are shut down, what is our recovery time objective (RTO)?
  3. What is our confidence level in achieving our RTO?  

Prevention techniques have a place, but critical infrastructure must look at the consequence of an incident and invest in technology that can get their operations back up and running in a matter of hours, rather than days and weeks, starting with the three questions mentioned. Considering the cost of a multi-day production outage, it’s evident that investment in being able to bounce back quickly has a high ROI.”

 

Neil Jones, Director of Cybersecurity Evangelism, Egnyte:

“It’s hard to believe it’s been a year since the Colonial Pipeline ransomware attack. The good news is that cybersecurity requirements for infrastructure providers like Colonial have become more formalized since the cyberattack occurred, and there’s broader corporate awareness of ransomware’s impact. However, recent geo-political events in Europe and global supply chain pressures remind us that service disruptions from ransomware are just as likely now as they were a year ago. And, organizations are even having to manage data infiltration allegations via social media that may or may not have even occurred.

There are several proven approaches that organizations can follow to help prevent ransomware: 

  • Develop a comprehensive incident response plan. 
  • Utilize a solution with ransomware detection and recovery. 
  • Educate executive management about ransomware’s impact.
  • Perform cybersecurity awareness training, which should include implementing effective data protection policies like strong password protection and multi-factor authentication. It’s also critical that they understand any company can be a potential victim, regardless of size or location.

Without adequate preparation, disruptions are likely to become more severe. For years, we’ve realized how vulnerable global organizations are to potential attacks, but many of our concerns were dismissed as fear, uncertainty and doubt (FUD). Colonial was an important inflection point for public and private sector infrastructure security, but organizations need to remain vigilant to stay a step ahead of cyber-attackers.”

 

Arti Raman, CEO & Founder, Titaniam:

“Over the last year, cybersecurity has become a strong focus of CEOs and CISOs alike, and the Colonial Pipeline cyberattack is a glaring reason. The attack showed the real-world limitations of a ransomware defense strategy solely focused on backup and recovery. The attack led to a six-day shut-down while Colonial Pipeline looked for where hackers had gone and what information could have potentially been exposed. What was most notable about the impact of the Colonial Pipeline ransomware attack was that even though the company could restore its systems and resume operations, it was deemed prudent not to do so until they could rule out any data-related exposure. 

This highlights one of the key overlooked aspects of ransomware attacks that come back to haunt victim organizations, i.e., attackers obtain leverage in two distinct ways — first, by locking up systems via encryption and extorting victims using this as leverage, and second, by stealing data prior to locking up systems and using that stolen data as leverage to extort victims even if they can stand up their systems from backups. 

This means that the historical ransomware protection toolbox comprising backup and recovery and encryption-at-rest is not sufficient. If the file or information is being worked on or is accessed using privileged credentials, such as how one password gave access to the Colonial Pipeline, all protection in place is rendered useless, and hackers can still steal the underlying data prior to encrypting the systems. In that case, bad actors were able to obtain ransom from Colonial Pipeline despite all the traditional protection measures that were in place.

With encryption-in-use data protection, should adversaries break through perimeter security infrastructure and access measures, structured as well as unstructured data can will undecipherable and unusable to bad actors — making digital blackmail significantly more difficult, if not impossible. Both ransomware and extortion protection can be achieved through data-in-use encryption, as it provides unprecedented immunity against data-based attacks.”

 

Jason Rebholz, CISO, Corvus Insurance:

“The Colonial Pipeline ransomware attack, one year ago, showcased the impact cyberattacks can have on large populations. It transformed a digital punch into physical chaos and fear. For organizations designated as critical infrastructure, it was a wake-up call for how they need to better prepare their security defenses and resilience against ransomware attacks. This has never been direr than in the current threat landscape. However, the silver lining of the Colonial Pipeline attack has been the increased involvement of law enforcement and the U.S. government in taking the fight to the attackers, helping to retrieve or freeze illicitly acquired cryptocurrencies and collaborating internationally to arrest the ransomware actors.

However great the learnings are for the defenders, there was an equal learning opportunity for the criminals and nation-states alike. The playbook for a devastating attack against critical infrastructure was tested live. For individuals or countries looking to harm Western countries, the pipeline was a clear example of the impact a single ransomware attack can have.

Organizations, especially those in critical infrastructure, must take steps to ensure preventative security controls are in place. More importantly, they should ensure that there are processes and technologies in place to establish resilience in the event of an attack. Organizations should ask themselves how they can quickly restore critical services and business functions to reduce downtime.”