The Colonial Pipeline Ransomware Attack: Joe Biden Signs New Executive Order to Strengthen and Standardize Cybersecurity Reporting
The damages caused by cyberattacks and the frequency of attacks have been increasing every year. The recent ransomware attack on Colonial Pipeline’s IT systems indicates the flaws in existing defenses and the devastating economic, social, and political impacts of large cyberattacks.
President Joe Biden has signed a new executive order to strengthen and improve cybersecurity practices and standards in light of the recent string of cyberattacks on various public and private organizations in the US. The order marks a significant step forward, pushing a shift toward a zero-trust security approach and improved incident response at private and public levels.
Details of the Ransomware Attack
Colonial Pipeline is one of the largest pipeline companies in the US. It supplies 45% of the East Coast’s fuel and transports over 100 million gallons of fuel every day, covering a distance equivalent to the distance between Texas to New York.
The details of the ransomware that occurred on May 6, 2021, are still not entirely clear. However, speculations abound the source of the security breach, with analysts suspecting many different possibilities anywhere, from unpatched vulnerabilities in Colonial Pipeline’s systems to phishing emails.
Irrespective of the tactic employed by the attackers, what is clear at this point is that they targeted the business components of the systems rather than the operational side. This strongly suggests that the attackers were motivated primarily by money rather than malicious sabotage.
Yet the attack caused significant service disruptions for the oil sector, leading to supply shortages, and in turn, price fluctuations.
Colonial Pipeline’s Response Strategy
Following the attack, Colonial Pipeline took parts of their systems offline to prevent the ransomware from spreading to other systems. The suspension of pipeline operations caused oil supply disruptions across various parts of the US.
The oil company began restoring its network following an incremental approach, a common but prudent remediation strategy. In this approach, every component of the system that is either vulnerable or directly hit is restored one at a time. The systems are also carefully scanned for signs of any malicious code that might still be remaining.
It is rare for ransomware victims to get away and restore system functions without suffering severe damages, either in the form of data or money, or both. Colonial Pipeline reportedly paid a ransom of almost $5 million to regain access to their encrypted systems.
The decision to pay the ransom seems to have worked because there is, as of yet, no hint that the malicious actors have leaked the 100GB worth of data stolen from Colonial Pipeline’s systems.
From the attacker’s side, therefore, the exploit is a success. The US government would want to prevent critical infrastructures of the company from being targeted in a similar way in the future. Neither is the incident the first of its kind nor is it likely to be the last. But the new executive order is a welcome initiative for the battle against cyberattacks.
Key Points of Biden’s Executive Order
Biden’s executive order emphasizes cooperation and communication between public and private sectors against cyberattacks threatening US security at a broader level.
Some of the key points of the executive order are:
- IT service providers are required to inform the government about any cybersecurity incidents that can compromise US networks. The order also removes contractual barriers that might deter service providers from identifying and reporting breaches to the government.
- It urges the federal government to improve and upgrade existing IT infrastructure with a renewed focus on implementing encryption, multi-factor authentication, and endpoint protection.
- Vendors selling software to the government must share security data publicly to enable a review of the software before use. The aim is to minimize risks emanating from the use of software with inadequate security.
- The order asks to establish a “Cybersecurity Safety Review Board” comprising public and private-sector experts for analyzing cyberattacks and developing response strategies.
- It emphasizes information sharing between federal government departments.
Brief Background of DarkSide
A group of threat actors known as DarkSide is said to be behind the Colonial Pipeline ransomware attack. The group operates a Ransomware-as-a-Service (RaaS) business with their modus operandi being double-extortion attacks.
According to threat researchers, the group first disrupts the operations of the targeted companies by locking them out of their systems. And then, they steal the critical data and ask the companies to pay ransom to regain hold of their data. If the organization fails to pay the ransom, the hackers leak or sell the data on the dark web.
The group presents itself as apolitical, with no affiliation with any government or political ideology. Money is the sole motivator for DarkSide’s exploits, as per their own statement. Still, groups such as DarkSide represent a serious danger for critical infrastructures and non-critical organizations across the globe.
Mitigating Cybersecurity Risks with Automated Tools
Cybersecurity is one of the biggest challenges that organizations are facing today. With malware becoming a commodity for sale, malicious intent is all that’s needed to launch an attack for personal or political gain. As the barriers for amateur cybercriminals reduce with easy access to for-sale malware, the cyberattack landscape is only going to evolve in devastating ways.
Organizations and governments must take urgent measures to confront the rapidly evolving and sophisticated cybercrime environment. Despite significant progress in cybersecurity tools, techniques, and mechanisms, the danger of security threats is still constantly present.
While there is no foolproof solution to cyber threats, the situation would be far worse if we didn’t have the protective tools and capabilities that we do today.
CENTRL’s Cyber360 is a full-fledged risk assessment software that automates many tasks involved in a cyber risk management program. The tool brings increased transparency and control to cybersecurity risk management, allowing organizations to identify, analyze, mitigate, and respond to evolving risks with greater efficiency.
This cloud-based risk assessment automation platform eliminates the likelihood of human error, while the tool’s centralized data repositories enable accurate risk identification and segmentation. Since most cyberattack incidents result from human negligence, Cyber360 fills in many gaps that traditional cybersecurity risk assessment tools fail to address.