By Larry Magid
This post first appeared in the Mercury News

The shutdown of Colonial Pipeline, which delivers gasoline, diesel, and aviation fuel to much of the East Coast, is a reminder that essential institutions and the people they serve are vulnerable to potentially devastating cyberattacks. The pipeline, which resumed operations on Wednesday, provides about 45% of the East Coast’s fuel, and its disruption has resulted in fuel shortages and panic buying from motorists, which has led to long lines at the pump.

The pipeline company was attacked by ransomware, an increasingly common form of crime where perpetrators lock up an enterprise’s network and data until the company pays a ransom to get it back. The FBI has confirmed that the perpetrator, in this case, is Darkside, a cyber gang that appears to be based in Russia. It does not currently appear that Russian government is behind these attacks. Experts have said the motivation was financial and not an attempt to damage national infrastructure.

This would put this attack in the same category as others including cities and even hospitals. Some have paid to get their data back while others have refused to cooperate with the criminals. Either way, the attacks disrupt operations which can, in some cases, put people’s lives in danger.

In addition to locking up networks and data, ransomware attacks can also be used as a form of extortion or blackmail when perpetrators threaten to release confidential data if their demands aren’t met. As the blog Krebs on Security put it, “DarkSide adheres to the current bad guy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.”

The FBI and CISA (Cybersecurity & Infrastructure Security Agency) issued a joint advisory that called DarkSide “ransomware-as-a-service (RaaS),” adding that “the developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.” The government agencies warned that “groups leveraging DarkSide have recently been targeting organizations across various critical infrastructure sectors including manufacturing, legal, insurance, healthcare, and energy.”

Although this attack appears to be financially motivated, the underlying technology behind ransomware could also be used by nation states and other actors as a cyberweapon to be used to disrupt critical infrastructure. Think of it as the cyber equivalent of bombing roads and bridges.

I don’t know how much of President Biden’s $2.3 trillion infrastructure plan will be funded by Congress, but I do hope they include funds for infrastructure resilience, which includes protections against cyberattacks on our electrical grid and other critical systems. We have reached a point where our electronic infrastructure is as important as our physical infrastructure. But, unlike a road or a bridge, the electrical grid, a gas pipeline, a bank, hospital or other facility can be attacked from anywhere in the world. A couple of years ago, I logged into my investment account and saw a zero balance. It was a temporary glitch but it occurred to me that the only proof I have of how much money I had in my account is their webpage. I now routinely print out my statements and keep them on file in the unlikely but not impossible event that I will have no other proof of how much I have on deposit. I’m assuming that my banks and investment firms have good security and backup systems, but I bet that Colonial Pipeline thought its systems were secure prior to the attack.

I’m not worried about losing my money to a hacker — in most cases the depositor will get reimbursed for a loss due to a hacker, but I feel a bit more secure having a paper copy showing how much I have on deposit.

Mitigation

CISA advises companies and agencies to apply “mitigations to reduce the risk of compromise by ransomware attacks,” including requiring multifactor authentication for remote access, enabling strong spam filters to prevent phishing emails from reaching end users and offering user training programs and simulated attacks for spear-phishing “to discourage users from visiting malicious websites or opening malicious attachments.” Spear-fishing is when deceptive email to get someone to download malware is directed at specific organizations or individuals. The agency also recommends that companies keep their software and operating systems up-to-date with the latest security patches and implement regular backup systems.

Not just big organizations

This advice is directed to large organizations, but it also applies to individuals and home users. You’ll find consumer-friendly tips to prevent ransomware at connectsafely.org/ransomware.

Apple, Google and Microsoft regularly update their operating systems for computers and mobile devices, and you can configure your devices to update automatically. Sometimes there is a delay between the time an update is issued and when it’s automatically updated so, on my Windows machine, I’ve gotten into the habit of typing “update” in the search box at the lower left of my screen on Tuesday or Wednesday to make sure my software is up to date. On Macs you choose System Preferences from the Apple menu and then click Software Update to check for updates.

Whether you are at home or work for a big organization, it’s in all of our interest to protect our infrastructure to avoid fuel shortages, power outages, hospital disruptions and other human made disasters.