Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Government United States

Ransomware Cyberattack Forces Major US Pipeline Company to Halt Operations (apnews.com) 52

"Colonial Pipeline, which accounts for 45% of the East Coast's fuel, said it has shut down its operations due to a cyberattack," reports ZDNet. "The attack highlights how ransomware and other cyberattacks are increasingly a threat to real-world infrastructure.

"The company delivers refined petroleum products such as gasoline, diesel, jet fuel, home heating oil, and fuel for the U.S. Military."

UPDATE: Saturday the company confirmed that the attack involved ransomware.

The Associated Press reports: Colonial Pipeline said the attack took place Friday and also affected some of its information technology systems. The Alpharetta, Georgia-based company said it hired an outside cybersecurity firm to investigate the nature and scope of the attack and has also contacted law enforcement and federal agencies. "Colonial Pipeline is taking steps to understand and resolve this issue," the company said in a late Friday statement. "At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline."

Oil analyst Andy Lipow said the impact of the attack on fuel supplies and prices depends on how long the pipeline is down. An outage of one or two days would be minimal, he said, but an outage of five or six days could causes shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, D.C., area. Lipow said a key concern about a lengthy delay would be the supply of jet fuel needed to keep major airports operating, like those in Atlanta and Charlotte, North Carolina.

The precise nature of the attack was unclear, including who launched it and what the motives were...

Mike Chapple, teaching professor of IT, analytics and operations at the University of Notre Dame's Mendoza College of Business and a former computer scientist with the National Security Agency, said systems that control pipelines should not be connected to the internet and vulnerable to cyber intrusions. "The attacks were extremely sophisticated and they were able to defeat some pretty sophisticated security controls, or the right degree of security controls weren't in place," Chapple said...

The article also points out the U.S. government says it's "undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks....to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity. The White House has announced a 100-day initiative aimed at protecting the country's electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks. It includes concrete milestones for them to put technologies into use so they can spot and respond to intrusions in real time. The Justice Department has also announced a new task force dedicated to countering ransomware attacks...
This discussion has been archived. No new comments can be posted.

Ransomware Cyberattack Forces Major US Pipeline Company to Halt Operations

Comments Filter:
  • Iran, Russia, China, North Korea, cybercriminals, or some 400 lb fat guy who lives in his mom's basement. But don't worry. Your local gas stations will jack up the price of fuel even if they aren't affected.
    • Re:Who to blame? (Score:5, Insightful)

      by rskbrkr ( 824653 ) on Saturday May 08, 2021 @12:50PM (#61362900)
      The guy that hooked up pipeline operations to the internet in the first place?
      • by gtall ( 79522 )

        So you want to duplicate the interwebs for managing pipelines. How about another one for the electrical grid. Be sure to make them nationwide 'cause those systems are nationwide. While you are at it, could you also whack together another one for water systems, they could use their own interwebs. The sewage systems should also be kept separate from the water systems, they'll be wanting their own network as well. How about banking, cannot have every Ivan, Ahmed, and Feng toying with those, better create a new

        • Re: (Score:3, Insightful)

          by Anonymous Coward
          When you're making big bucks, you can (hopefully) afford things like ISDN/T-carrier/ATM/OC/whatever leased lines. Still possible to break into, but isolated from the greater internet (of course, this seems to be a very difficult thing for a lot of companies to accomplish consistently). Fairly certain this used to be the norm when putting together corporate networks. Since it's a pipeline here, you also have a right of way in which to install a lot of the cabling/equipment (which could be off-the-shelf fiber
          • Spot on. The ops side of utilities should have far better isolation. Often though, ease of use/access gets prioritized by management and security goes out the window.
          • by yagmot ( 7519124 )

            Wouldn't it be basically the same situation if instead of leased lines, the equipment was connected to the internet, but through a VPN? In either situation, once you have access at the main facility, you now have access to all the endpoints, and so it doesn't really matter how those endpoints are connected to the main facility, no?

            It sounds to me like the attackers never had access to the hardware that actually controls the pipeline, so all this is probably moot. How would a ransomware attack practically fu

        • by bjwest ( 14070 )

          So you want to duplicate the interwebs for managing pipelines. How about another one for the electrical grid. Be sure to make them nationwide 'cause those systems are nationwide. While you are at it, could you also whack together another one for water systems, they could use their own interwebs. The sewage systems should also be kept separate from the water systems, they'll be wanting their own network as well. How about banking, cannot have every Ivan, Ahmed, and Feng toying with those, better create a new network for them as well.

          Come to think of it, the nation's communication structure is certainly something that should not be exposed to the interwebs since it is a critical national resource.

          And no sneaky putting them all on the same special intertubes. Should take you what, about a few days to construct?

          So your solution is to not worry about it and continue on as we are now? How about connecting them all to the same secure network instead of creating a separate one for each. Hell, the military has a global network that's secure, I'm sure we can figure out how to build a single secure national network for our critical infrastructure and keep them off the globally accessible internet.

          • " Hell, the military has a global network that's secure"

            Is it, though? And if it wasn't, would they admit that?

            • by bjwest ( 14070 )

              " Hell, the military has a global network that's secure"

              Is it, though? And if it wasn't, would they admit that?

              Yes it is, but you believe what you want.

        • You don't need to duplicate the " interwebs " as you put it, you simply use a dedicated line / circuit.
          ( Yes, believe it or not the Telcos still use and sell them and are a bit more hacker resistant than anything near the internet. )

          Take 911 for example, the connection from the PSAP to the Telco most definitely isn't riding the internet. It is instead a dedicated circuit,
          ( typically 1200 or 9600 baud believe it or not, it's just small blocks of text data after all ) that arrives into a local Central Offi

      • I think at this point a lot of us could just bookmark a few dozen of our old Slashdot posts pointing out what a stupid idea it was for infrastructure / manufacturing / electrical grid / power plant companies to hook up their control circuitry to the Internet, and copy & paste the list of URLs into these sorts of stories.

        For all the good it does.

        • I can't disagree, but another major underlying issue is that much of today's networking infrastructure is grossly insecure.

          And this is why we have the ongoing conversations about memory safety.

          Anyone can make bugs. But people using memory-safe languages can't make the kinds of memory-related bugs that prove to be a cause and/or exacerbating factor for the vast majority of security issues in the wild.

          The sooner that critical network-facing services move away from C and C++, and carefully audit whatever rema

    • Cybercrime needs to be treated as though you used a firearm or explosive in the process. Give me unrestricted access to the right computer I could very well start world war 3

    • Re:Who to blame? (Score:5, Informative)

      by awwshit ( 6214476 ) on Saturday May 08, 2021 @01:15PM (#61362982)

      I worked at a Chevron station in the late 80s/early 90s. Delivery price was based on distance while the fuel cost was based on volume. We couldn't compete with stations 5 miles away because our costs were higher - which meant the other stations got more volume which hurt our costs even more.

      When the US invaded Iraq in the early 90s, Chevron sent out a letter basically saying they raised prices because they could as a CYA but their costs hadn't really changed. Our margins were about $0.10/gallon at that time, we made more on snacks/drinks than fuel.

      Don't be so quick to judge the local stations, the supply chain is tightly controlled and the station at the end of that chain is getting squeezed.

      • Don't be so quick to judge the local stations, the supply chain is tightly controlled and the station at the end of that chain is getting squeezed.

        Not only that, but for the last two or three decades these stations have been required to lease their pumps from the producer, be it BP, Shell, Exxon, etc.

        I remember our local paper ran an interview (probably 20 years ago) with the owner of a gas station who was retiring - his station had been a fixture for something like 40-50 years. He talked about how, in the old days, even though gas was cheaper and per-gallon margins were significantly smaller, he could still afford to pay a living wage to his workers

        • I was incentivized to sell quarts of oil and other Chevron products as well as for Chevron credit card applications. We still sold more chips, soda, and cigarettes. The service bays were the most profitable. Chevron wanted the station to close the service bays and turn that space into a mini-mart, at some point Chevron stopped renewing the lease because they wanted a mini-mart.

          That station closed, now there is another Chevron across the street with a mini-mart.

        • Re:Who to blame? (Score:4, Informative)

          by psycho12345 ( 1134609 ) on Saturday May 08, 2021 @07:01PM (#61363896)
          Its a known problem, basically the companies have offloaded ALL the risk onto the downstream, and retained all the ownership on the upstream, it has become incredibly common for any local franchise of anything. It even has an economic term: chickenization, originally attributed to how chicken farms have the farmers own basically nothing, but are still responsible for everything (upstream in that case is major food processors like Tyson).
      • I worked at a Chevron station in the late 80s/early 90s. Delivery price was based on distance while the fuel cost was based on volume. We couldn't compete with stations 5 miles away because our costs were higher - which meant the other stations got more volume which hurt our costs even more.

        When the US invaded Iraq in the early 90s, Chevron sent out a letter basically saying they raised prices because they could as a CYA but their costs hadn't really changed. Our margins were about $0.10/gallon at that time, we made more on snacks/drinks than fuel.

        Don't be so quick to judge the local stations, the supply chain is tightly controlled and the station at the end of that chain is getting squeezed.

        Also, stations raise their prices based on their next delivery, but lower them based on what's in their tanks.

    • They will seek to maximize their profits, which is exactly what they should do.

      Having said that, I have not noticed a huge spike (northeast Ohio). Not yet anyway. If supplies or the ability to deliver them dwindle enough, even temporarily, a lot of things change, generally for the worse.

      The ongoing tanker truck driver shortage is likely to play both a larger, and more long-lasting, role in eventually making fuel unavailable to middle-class people in the US and possibly elsewhere.

  • by theshowmecanuck ( 703852 ) on Saturday May 08, 2021 @12:53PM (#61362908) Journal
    State or private individuals, there needs to be serious publicly displayed consequences to these actions. The public needs to see that they are either being protected or the perpetrators are brought to justice. And they need to know everything is being done to ensure it won't happen again. Preferably all three. These are vital systems.
    • by Registered Coward v2 ( 447531 ) on Saturday May 08, 2021 @01:17PM (#61362986)

      State or private individuals, there needs to be serious publicly displayed consequences to these actions. The public needs to see that they are either being protected or the perpetrators are brought to justice. And they need to know everything is being done to ensure it won't happen again. Preferably all three. These are vital systems.

      This foreshadows the future of warfare. Being able to put boots on the ground and bombs on target won't matter if the other side can shutdown critical infrastructure. Hard to fly without gas...

      Today's cybercriminals will be tomorrows war heroes...

    • by ewhac ( 5844 )

      State or private individuals, there needs to be serious publicly displayed consequences to these actions. [ ... ]

      Sure, okay, fine, I guess...

      Now how about the $(EXPLETIVE) $(EXPLETIVE) $(EXPLETIVE)ing morons who built a crucial piece of energy distribution infrastructure on top of Windows?

      • by tlhIngan ( 30335 )

        Now how about the $(EXPLETIVE) $(EXPLETIVE) $(EXPLETIVE)ing morons who built a crucial piece of energy distribution infrastructure on top of Windows?

        Fine, smart guy, Tell me how this will be different on Linux? Or BSD?
        Or any other OS?

        You can get anyone to run anything - I can probably get an office worker to do "rm -rfy /" (if you don't know what the 'y' flag does...) fairly easily. Or get them to run "bash NotAVirus.shar".

        If you're going to say "but the Linux network will be better administered" I highly d

        • by theCoder ( 23772 )

          First, those examples all require a lot of extra work. It's like saying you could probably get a person to burn down the office building by spreading gasoline all over the place and lighting it on fire. You could tell someone to do it, but if they actually did it, they are the one responsible for the mess.

          Second, you shouldn't give ordinary users arbitrary root access, even through sudo. That's like leaving the office walls pre-soaked with gasoline!

          Third, yes everyone can be hacked. But it seems like mo

        • Well, you can significantly reduce the attack surface when using a truly secure OS. Also, Linux users, on average, tend to be a good bit more technical than Windows, in part because they often need to be.

          However, I'm not sure I consider a systemd-based system to be securable. At many potential points of attack, "modern" (systemd-based) Linux is a monoculture. One of the EXPRESS goals of systemd is to make it so. That is one of many reasons I have never chosen to use it, when I had the choice, and it's a

          • by tlhIngan ( 30335 )

            First, those examples all require a lot of extra work. It's like saying you could probably get a person to burn down the office building by spreading gasoline all over the place and lighting it on fire. You could tell someone to do it, but if they actually did it, they are the one responsible for the mess.

            Second, you shouldn't give ordinary users arbitrary root access, even through sudo. That's like leaving the office walls pre-soaked with gasoline!

            Well, you can significantly reduce the attack surface when

    • State or private individuals, there needs to be serious publicly displayed consequences to these actions. The public needs to see that they are either being protected or the perpetrators are brought to justice. And they need to know everything is being done to ensure it won't happen again.

      Hilarious! The big joke here is that the perpetrators is the US pipeline company itself! How many millions of dollars do you think they put into the development of secure software? I'm going with a big fat zero. Despite the need for security they are doing the bare minimum and it shows.

      These are vital systems.

      Exactly, so why did this company do so little? The answers here are obvious and known but you portray them as the victim rather than the perpetrator. Like this one, companies have been negligent and the C-class executiv

  • What ever you do, don't mention Microsoft Windows.
    • What ever you do, don't mention Microsoft Windows.

      I mentioned it once, but I think I got away with it.

    • You might be on to something. There seems to be fear when they make a press release, either of pointing the finger or that they'll somehow expose the secret workings of their IT.

      Since they didn't mention MS, one has to assume it is MS top to bottom and AD credentials were used for lateral movement.

  • in retaliation for line5 shenanigans.
  • I don't understand the quotation from the professor. Either they had security controls or they didn't, what kind of a guess is he making ?
    • I don't understand the quotation from the professor. Either they had security controls or they didn't, what kind of a guess is he making ?

      The kind that covers his bets. Or not.

  • 1) What version (not just 7,8,10, but how current is the version) of Windows are they running?
    2) How often are they backing it up?
    3) Is Avast still protecting machines like it did during WannaCry?
    • 1) What version (not just 7,8,10, but how current is the version) of Windows are they running?

      *Were*. They'll be reinstalling from latest now, so they probably wont be able to tell you what they /were/ running at the time.

      2) How often are they backing it up?

      Goes without saying, not as often as they would like.

    • 4. Are their Windows servers up to date 5. Any SolarWinds software
    • by ledow ( 319597 )

      One question: WHY ARE THEY RUNNING WINDOWS!? Or any mainstream commodity consumer operating system?

      • You are on a site populated largely by technical people.

        Most people in most organizations are not.

        Unfortunately, they are therefore often unaware of security best practices, and therefore view such practices as optional, and, even when their technical people bring it up, they are ignored.

        Until it is too late.

        Bad stuff will happen even in spite of those practices, but MUCH less frequently and with MUCH less impact.

        Compare the following scenarios:

        1. Oh noes, someone hosed every single Windows m

  • These weren't connected to the Internet either, and yet somehow managed to become infected with malware. Not connecting to the Internet is not a panacea for this problem.
    • So? Are you arguing that 99.99% protection is worthless because it is not perfect?

      • Airgaps leads to be the belief that it is 100% effective. We know that's not true. If they can't educate users about the dangers of a connected network, how do we expect them to explain the problems with an airgapped network?
    • by ledow ( 319597 )

      The infection got to that secured network by taking over office, etc. machines through an Internet connected network and was then transferred to the secured network from there.

      If you're airgapping, then you can't just shove anything through the airgap and let people plug in USBs that they've build on their machine back in the office, that's not how it works.

      And running commodity operating systems for SCADA controls is just a nonsense, even on an airgapped network (part of the problem is that things like Win

Things are not as simple as they seems at first. - Edward Thorp

Working...