Ramifications of the Colonial Pipeline breach
Lead Analyst: Bruce Snell, Vice President, Security Strategy and Transformation, US
On Friday, 7 May, Colonial Pipeline suspended operations due to a ransomware outbreak, attributed to the DarkSide ransomware group, in their network. With Colonial supplying around 45% of the East Coast’s fuel, this led to panicked runs on gas stations as consumers rushed to fuel their vehicles – and in some cases, stockpiling fuel in whatever containers they had on hand.
In the past, when a large breach takes place, the people affected receive a notice that they need to change their passwords and monitor their credit report for the next 12–18 months. However, the fallout of the Colonial breach resulted in literal fistfights at gas pumps.
So why was the pipeline shut down in the first place? When the news first broke, people made a lot of assumptions that the ransomware had infected the physical pipeline systems – commonly referred to as operational technology, or OT – themselves. The reality was that Colonial proactively shut down their OT systems to protect them from the internal systems which actually had been compromised. For Colonial, this was probably their best option, as an infection throughout their OT network could have led to greatly extended downtimes for the pipeline and created massive fuel shortages that could have taken weeks if not months to recover from. Given that Memorial Day, after a year or more of quarantine, was right around the corner, we could have seen a massive strain on the Eastern United States.
OT infrastructure is dramatically different from a traditional IT network. While there has been a huge push towards modernization, it’s not uncommon to see control systems running outdated operating systems. Windows NT and XP still exist in large numbers in OT networks. This is partly due to systems that may have been in place for 20 years and cannot be readily upgraded due to 24/7 demand or replacement being cost-prohibitive. The problem ends up being control systems that can no longer be patched for vulnerabilities and often cannot run modern security tools already in use on the IT side of the organization. So, in Colonial’s case, had their pipeline systems been impacted, a massive restart and restore operation would have been required. When you have a pipeline that stretches from Texas to New Jersey, a manual restart would require a herculean effort.