Ransomware Cyberattack Forces Major US Pipeline Company to Halt Operations (apnews.com) 52
"Colonial Pipeline, which accounts for 45% of the East Coast's fuel, said it has shut down its operations due to a cyberattack," reports ZDNet. "The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure.
"The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil, and fuel for the U.S. Military."
UPDATE: Saturday the company confirmed that the attack involved ransomware.
The Associated Press reports: Colonial Pipeline said the attack took place Friday and also affected some of its information technology systems. The Alpharetta, Georgia-based company said it hired an outside cybersecurity firm to investigate the nature and scope of the attack and has also contacted law enforcement and federal agencies. "Colonial Pipeline is taking steps to understand and resolve this issue," the company said in a late Friday statement. "At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline."
Oil analyst Andy Lipow said the impact of the attack on fuel supplies and prices depends on how long the pipeline is down. An outage of one or two days would be minimal, he said, but an outage of five or six days could causes shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, D.C., area. Lipow said a key concern about a lengthy delay would be the supply of jet fuel needed to keep major airports operating, like those in Atlanta and Charlotte, North Carolina.
The precise nature of the attack was unclear, including who launched it and what the motives were...
Mike Chapple, teaching professor of IT, analytics and operations at the University of Notre Dame's Mendoza College of Business and a former computer scientist with the National Security Agency, said systems that control pipelines should not be connected to the internet and vulnerable to cyber intrusions. "The attacks were extremely sophisticated and they were able to defeat some pretty sophisticated security controls, or the right degree of security controls weren't in place," Chapple said...
The article also points out the U.S. government says it's "undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks....to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity. The White House has announced a 100-day initiative aimed at protecting the country's electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks. It includes concrete milestones for them to put technologies into use so they can spot and respond to intrusions in real time. The Justice Department has also announced a new task force dedicated to countering ransomware attacks...
"The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil, and fuel for the U.S. Military."
UPDATE: Saturday the company confirmed that the attack involved ransomware.
The Associated Press reports: Colonial Pipeline said the attack took place Friday and also affected some of its information technology systems. The Alpharetta, Georgia-based company said it hired an outside cybersecurity firm to investigate the nature and scope of the attack and has also contacted law enforcement and federal agencies. "Colonial Pipeline is taking steps to understand and resolve this issue," the company said in a late Friday statement. "At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline."
Oil analyst Andy Lipow said the impact of the attack on fuel supplies and prices depends on how long the pipeline is down. An outage of one or two days would be minimal, he said, but an outage of five or six days could causes shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, D.C., area. Lipow said a key concern about a lengthy delay would be the supply of jet fuel needed to keep major airports operating, like those in Atlanta and Charlotte, North Carolina.
The precise nature of the attack was unclear, including who launched it and what the motives were...
Mike Chapple, teaching professor of IT, analytics and operations at the University of Notre Dame's Mendoza College of Business and a former computer scientist with the National Security Agency, said systems that control pipelines should not be connected to the internet and vulnerable to cyber intrusions. "The attacks were extremely sophisticated and they were able to defeat some pretty sophisticated security controls, or the right degree of security controls weren't in place," Chapple said...
The article also points out the U.S. government says it's "undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks....to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity. The White House has announced a 100-day initiative aimed at protecting the country's electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks. It includes concrete milestones for them to put technologies into use so they can spot and respond to intrusions in real time. The Justice Department has also announced a new task force dedicated to countering ransomware attacks...
Who to blame? (Score:1)
Re:Who to blame? (Score:5, Insightful)
Re: (Score:3)
So you want to duplicate the interwebs for managing pipelines. How about another one for the electrical grid. Be sure to make them nationwide 'cause those systems are nationwide. While you are at it, could you also whack together another one for water systems, they could use their own interwebs. The sewage systems should also be kept separate from the water systems, they'll be wanting their own network as well. How about banking, cannot have every Ivan, Ahmed, and Feng toying with those, better create a new
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:1)
Wouldn't it be basically the same situation if instead of leased lines, the equipment was connected to the internet, but through a VPN? In either situation, once you have access at the main facility, you now have access to all the endpoints, and so it doesn't really matter how those endpoints are connected to the main facility, no?
It sounds to me like the attackers never had access to the hardware that actually controls the pipeline, so all this is probably moot. How would a ransomware attack practically fu
Re: (Score:2)
So you want to duplicate the interwebs for managing pipelines. How about another one for the electrical grid. Be sure to make them nationwide 'cause those systems are nationwide. While you are at it, could you also whack together another one for water systems, they could use their own interwebs. The sewage systems should also be kept separate from the water systems, they'll be wanting their own network as well. How about banking, cannot have every Ivan, Ahmed, and Feng toying with those, better create a new network for them as well.
Come to think of it, the nation's communication structure is certainly something that should not be exposed to the interwebs since it is a critical national resource.
And no sneaky putting them all on the same special intertubes. Should take you what, about a few days to construct?
So your solution is to not worry about it and continue on as we are now? How about connecting them all to the same secure network instead of creating a separate one for each. Hell, the military has a global network that's secure, I'm sure we can figure out how to build a single secure national network for our critical infrastructure and keep them off the globally accessible internet.
Re: Who to blame? (Score:2)
" Hell, the military has a global network that's secure"
Is it, though? And if it wasn't, would they admit that?
Re: (Score:2)
" Hell, the military has a global network that's secure"
Is it, though? And if it wasn't, would they admit that?
Yes it is, but you believe what you want.
Re: (Score:2)
Re: (Score:2)
You don't need to duplicate the " interwebs " as you put it, you simply use a dedicated line / circuit.
( Yes, believe it or not the Telcos still use and sell them and are a bit more hacker resistant than anything near the internet. )
Take 911 for example, the connection from the PSAP to the Telco most definitely isn't riding the internet. It is instead a dedicated circuit,
( typically 1200 or 9600 baud believe it or not, it's just small blocks of text data after all ) that arrives into a local Central Offi
Copy and Paste, Copy and Paste (Score:2)
I think at this point a lot of us could just bookmark a few dozen of our old Slashdot posts pointing out what a stupid idea it was for infrastructure / manufacturing / electrical grid / power plant companies to hook up their control circuitry to the Internet, and copy & paste the list of URLs into these sorts of stories.
For all the good it does.
Re: (Score:2)
I can't disagree, but another major underlying issue is that much of today's networking infrastructure is grossly insecure.
And this is why we have the ongoing conversations about memory safety.
Anyone can make bugs. But people using memory-safe languages can't make the kinds of memory-related bugs that prove to be a cause and/or exacerbating factor for the vast majority of security issues in the wild.
The sooner that critical network-facing services move away from C and C++, and carefully audit whatever rema
Re: (Score:1)
You'd be surprised at how people panic. An agency about 10 years ago destroyed about 30 million in computers because they thought a virus had hit. Turns out nothing happened. Someone that thought they knew something about security panicked and manged to get everyone else excited. Ended up in an IG report. Little knowledge can be very dangerous.
I hope they are all separate. However I know from experience that people will be people and try to "help." Help by connecting systems that have no business being conn
Re: (Score:3)
Cybercrime needs to be treated as though you used a firearm or explosive in the process. Give me unrestricted access to the right computer I could very well start world war 3
Re:Who to blame? (Score:5, Informative)
I worked at a Chevron station in the late 80s/early 90s. Delivery price was based on distance while the fuel cost was based on volume. We couldn't compete with stations 5 miles away because our costs were higher - which meant the other stations got more volume which hurt our costs even more.
When the US invaded Iraq in the early 90s, Chevron sent out a letter basically saying they raised prices because they could as a CYA but their costs hadn't really changed. Our margins were about $0.10/gallon at that time, we made more on snacks/drinks than fuel.
Don't be so quick to judge the local stations, the supply chain is tightly controlled and the station at the end of that chain is getting squeezed.
Re: (Score:3)
Don't be so quick to judge the local stations, the supply chain is tightly controlled and the station at the end of that chain is getting squeezed.
Not only that, but for the last two or three decades these stations have been required to lease their pumps from the producer, be it BP, Shell, Exxon, etc.
I remember our local paper ran an interview (probably 20 years ago) with the owner of a gas station who was retiring - his station had been a fixture for something like 40-50 years. He talked about how, in the old days, even though gas was cheaper and per-gallon margins were significantly smaller, he could still afford to pay a living wage to his workers
Re: (Score:2)
I was incentivized to sell quarts of oil and other Chevron products as well as for Chevron credit card applications. We still sold more chips, soda, and cigarettes. The service bays were the most profitable. Chevron wanted the station to close the service bays and turn that space into a mini-mart, at some point Chevron stopped renewing the lease because they wanted a mini-mart.
That station closed, now there is another Chevron across the street with a mini-mart.
Re:Who to blame? (Score:4, Informative)
Re: (Score:2)
I worked at a Chevron station in the late 80s/early 90s. Delivery price was based on distance while the fuel cost was based on volume. We couldn't compete with stations 5 miles away because our costs were higher - which meant the other stations got more volume which hurt our costs even more.
When the US invaded Iraq in the early 90s, Chevron sent out a letter basically saying they raised prices because they could as a CYA but their costs hadn't really changed. Our margins were about $0.10/gallon at that time, we made more on snacks/drinks than fuel.
Don't be so quick to judge the local stations, the supply chain is tightly controlled and the station at the end of that chain is getting squeezed.
Also, stations raise their prices based on their next delivery, but lower them based on what's in their tanks.
Re: (Score:2)
That arbitrage opportunity is pretty small and depends on market conditions.
Re: (Score:2)
They will seek to maximize their profits, which is exactly what they should do.
Having said that, I have not noticed a huge spike (northeast Ohio). Not yet anyway. If supplies or the ability to deliver them dwindle enough, even temporarily, a lot of things change, generally for the worse.
The ongoing tanker truck driver shortage is likely to play both a larger, and more long-lasting, role in eventually making fuel unavailable to middle-class people in the US and possibly elsewhere.
Perpetrators Need to Face Consequences (Score:4, Insightful)
Re: Perpetrators Need to Face Consequences (Score:2)
Re: (Score:1, Insightful)
Biden.
Re:Perpetrators Need to Face Consequences (Score:4, Insightful)
State or private individuals, there needs to be serious publicly displayed consequences to these actions. The public needs to see that they are either being protected or the perpetrators are brought to justice. And they need to know everything is being done to ensure it won't happen again. Preferably all three. These are vital systems.
This foreshadows the future of warfare. Being able to put boots on the ground and bombs on target won't matter if the other side can shutdown critical infrastructure. Hard to fly without gas...
Today's cybercriminals will be tomorrows war heroes...
Re: (Score:2)
Sure, okay, fine, I guess...
Now how about the $(EXPLETIVE) $(EXPLETIVE) $(EXPLETIVE)ing morons who built a crucial piece of energy distribution infrastructure on top of Windows?
Re: (Score:2)
Fine, smart guy, Tell me how this will be different on Linux? Or BSD?
Or any other OS?
You can get anyone to run anything - I can probably get an office worker to do "rm -rfy /" (if you don't know what the 'y' flag does...) fairly easily. Or get them to run "bash NotAVirus.shar".
If you're going to say "but the Linux network will be better administered" I highly d
Re: (Score:2)
First, those examples all require a lot of extra work. It's like saying you could probably get a person to burn down the office building by spreading gasoline all over the place and lighting it on fire. You could tell someone to do it, but if they actually did it, they are the one responsible for the mess.
Second, you shouldn't give ordinary users arbitrary root access, even through sudo. That's like leaving the office walls pre-soaked with gasoline!
Third, yes everyone can be hacked. But it seems like mo
Re: (Score:2)
Well, you can significantly reduce the attack surface when using a truly secure OS. Also, Linux users, on average, tend to be a good bit more technical than Windows, in part because they often need to be.
However, I'm not sure I consider a systemd-based system to be securable. At many potential points of attack, "modern" (systemd-based) Linux is a monoculture. One of the EXPRESS goals of systemd is to make it so. That is one of many reasons I have never chosen to use it, when I had the choice, and it's a
Re: (Score:2)
Re: (Score:2)
State or private individuals, there needs to be serious publicly displayed consequences to these actions. The public needs to see that they are either being protected or the perpetrators are brought to justice. And they need to know everything is being done to ensure it won't happen again.
Hilarious! The big joke here is that the perpetrators is the US pipeline company itself! How many millions of dollars do you think they put into the development of secure software? I'm going with a big fat zero. Despite the need for security they are doing the bare minimum and it shows.
These are vital systems.
Exactly, so why did this company do so little? The answers here are obvious and known but you portray them as the victim rather than the perpetrator. Like this one, companies have been negligent and the C-class executiv
Ransomware cyberattacks real-world infrastructure (Score:2)
Re: (Score:2)
What ever you do, don't mention Microsoft Windows.
I mentioned it once, but I think I got away with it.
Re: (Score:2)
You might be on to something. There seems to be fear when they make a press release, either of pointing the finger or that they'll somehow expose the secret workings of their IT.
Since they didn't mention MS, one has to assume it is MS top to bottom and AD credentials were used for lateral movement.
Plot twist, Canada culpable (Score:1)
was or was not (Score:1)
Re: (Score:2)
I don't understand the quotation from the professor. Either they had security controls or they didn't, what kind of a guess is he making ?
The kind that covers his bets. Or not.
3 Questions (Score:1)
2) How often are they backing it up?
3) Is Avast still protecting machines like it did during WannaCry?
Re: (Score:2)
1) What version (not just 7,8,10, but how current is the version) of Windows are they running?
*Were*. They'll be reinstalling from latest now, so they probably wont be able to tell you what they /were/ running at the time.
2) How often are they backing it up?
Goes without saying, not as often as they would like.
Re: (Score:1)
Re: (Score:2)
One question: WHY ARE THEY RUNNING WINDOWS!? Or any mainstream commodity consumer operating system?
Re: (Score:3)
You are on a site populated largely by technical people.
Most people in most organizations are not.
Unfortunately, they are therefore often unaware of security best practices, and therefore view such practices as optional, and, even when their technical people bring it up, they are ignored.
Until it is too late.
Bad stuff will happen even in spite of those practices, but MUCH less frequently and with MUCH less impact.
Compare the following scenarios:
1. Oh noes, someone hosed every single Windows m
unranium centrifuges aren't connected (Score:1)
Re: (Score:2)
So? Are you arguing that 99.99% protection is worthless because it is not perfect?
Re: (Score:1)
Re: (Score:2)
The infection got to that secured network by taking over office, etc. machines through an Internet connected network and was then transferred to the secured network from there.
If you're airgapping, then you can't just shove anything through the airgap and let people plug in USBs that they've build on their machine back in the office, that's not how it works.
And running commodity operating systems for SCADA controls is just a nonsense, even on an airgapped network (part of the problem is that things like Win