How ransomware can shut down a gas pipeline
- May 13, 2021
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyber Crime, Cyber Crime, Cyberattack, Cyberattack, Data Breach, Industrial Control System Security, Posts with image
This is the week that people reportedly filled plastic bags with gasoline and loaded up their car trunks.
And the week that a giant gas pipeline company reportedly paid a $5 million ransom to get their computer systems back.
A ransomware attack led to the shutdown of more than 5,000 miles of pipe, as well as misinformation online and panic buying at the pump.
How could this kind of attack happen?
Colonial Pipeline is one of the largest pipeline companies in the country, with thousands of miles of pipe bringing gas for millions of people to use in cars, planes and the military.
But on May 7, Colonial Pipeline discovered a ransomware attack from a group called DarkSide.
The company shut down their pipeline, saying, “we proactively took certain systems offline to contain the threat.”
The full details of the attack aren’t public yet, but this is how these kinds of attacks on industrial companies often work.
How It Can Happen
Ransomware often starts on the office side of an industrial company, not the industrial side, explained oil and gas cybersecurity expert Clint Bodungen, CEO of security company ThreatGEN.
“It’s usually going to come in through low-hanging fruit, some easy means,” Bodungen told Archer News. “In many cases, it’s through some sort of email campaign or spear phishing [a targeted phishing attack] or something like that.”
Someone at the company may click on a bad link in an email, for example. That could launch ransomware and scramble data, not only on their office computer, but on many or all of the computers on the office side.
It can be hard to function when the office systems are unusable.
The ransomware may not actually hit the industrial side — the office and industrial computer systems are supposed to be separate — but companies may decide to stop industrial machines anyway as chaos reigns.
Sometimes the ransomware actually hits the industrial side, too, affecting not the industrial machinery itself but some of the Windows computers used in factories and plants.
For example, the screen on an industrial machine — like the computer screen on a gas pump — is called a human machine interface. It allows people using the industrial machines to see what’s happening.
If that screen isn’t working, you don’t know how much gas you’re pumping into your car or if there’s a problem.
Same with industrial screens. Without them, it’s hard to see what’s happening — with potentially serious consequences.
“The pressures, the temperatures. Open and close valves,” said Bodungen. “Without manually checking, you don’t know if a valve has popped. You don’t know if something is leaking or on fire. You don’t know what the problem is.”
Running Plants By Hand
Plants can go into ‘manual mode’, running things with people instead of computers, as Colonial says it did for some of its smaller pipelines.
“If you don’t have any visibility or any control over those remote processes, you have to send a person out there,” Bodungen said.
But that may not be feasible or safe enough, he said. Colonial, for example, has 5,500 miles of pipeline.
“Sending engineers to go check on things, that takes a lot of time. It’s a time thing, it’s a distance thing,” he said. “The safest thing to do in a lot of circumstances is just shut it off.”
This has happened before. An unnamed natural gas pipeline in the U.S. shut down for about two days in 2019 after a ransomware attack.
Other plants have gone through similar problems in the past year, including car-maker Honda, packaging giant WestRock, technology manufacturer Sierra Wireless, pharmaceutical and cosmetics company Pierre Fabre, beer producer Lion, and more.
What To Do?
Companies need to take a closer look at their current situation in terms of cybersecurity and ask questions, Bodungen advised.
Such as, have you been breached already and you don’t know it yet?
Are you actually doing the most basic security of security steps, like separating the office networks from the industrial networks, making backups of your data, and using multi-factor authentication — an extra sign-in step — to help keep attackers out?
“There are some oil and gas operators, and water treatment operators, and utility operators, they’re doing a phenomenal job,” Bodungen said. However, “there’s still a lot of operators out there not even doing the bare minimum.”
The National Institute of Standards and Technology just posted tips and tactics for dealing with ransomware.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency also created a ransomware guide, released in September 2020, showing how to deal with ransomware.
Analysts with AAA predicted the price of gas could rise three to seven cents this week in some areas with the slower delivery of gas to stations.
On the morning of May 13, Colonial Pipeline announced it restarted “product delivery” in a “majority of markets we serve.”
The attacking group, DarkSide, put out a statement saying they only wanted to make money, not cause problems for society. They said they would check out their victims more carefully in the future.
In the past, they have acted as tough negotiators. DarkSide has shown itself to be tough in ransom negotiations with companies in the past. In one negotiation with a large company, as reported by KrebsOnSecurity, DarkSide rejected the company’s complaint that the ransom demand was too high.
“You aren’t poor and aren’t children if you f—ed up you have to meet the consequences,” they said, according to a conversation revealed by security company Intel 471.
In that case, DarkSide ultimately dropped the ransom from $30 million to $12 million.
Main image: Gas station. Image: Fahroni/iStock