Colonial Pipeline: Dragos CEO Rob Lee on Pipeline Ransomware Attack
Dragos CEO Rob Lee says that the Colonial Pipeline ransomware attack “is the largest impact on the energy system in the United States we've seen from a cyberattack, full stop.” Lee says that Dragos has observed increasing ransomware attacks targeting industrial control systems and elements of critical infrastructure.
This attack is yet another reminder how ransomware is out of control and currently by far the largest threat facing organizations. Over the last few years, hundreds of millions in ransom payments have built a ransomware industry that in some cases dwarfs government budgets. This particular attack does however highlight another "supply chain" issue: The concentration of the flow of goods, be it shipments via the port of LA or the Suez Canal, a single pipeline being responsible for supplying refined gas to a large part of the US or the small number of chip manufacturers. This concentration has caused bottlenecks and easy exploitable vulnerabilities to the supply chain that are easily leveraged by criminals or nation states to hold economies hostage.
This last year has shown a dramatic increase in disruptive attacks, many taking advantage of health care systems involved with Covid-19 research. In recent months a renewed interest in disrupting or taking critical infrastructure offline has emerged. This past year of remote work seems to have exposed added attack vectors, as well as shown a light on existing ones. Operators, public or private, need to review their systems to make sure that they are following security best practices, and engage an external assessor. Don’t wait for attackers or your regulator’s audit to discover issues which need addressing.
This attack was motivated by money and has disrupted operations and, potentially, fuel supply and prices in the Northeast US. However, it is one more demonstration of the vulnerability of our infrastructure to adversarial nation states. The same breach could have been used to mis-operate the pipeline. "Security as usual," the state of the practice, is not getting the job done. We must increase the cost of attack against our systems tenfold. We know what needs to be done. What will it take to motivate us to do it?