New York times
The pipeline attack gives urgent lessons about cybersecurity in the United States
For years, government officials and industry executives have run elaborate simulations of a targeted cyber attack on the U.S. electricity grid or gas pipelines, imagining how the country will respond. But when the real moment arrived, this is not a practice moment, it didn’t look like war games. Subscribe to The Morning News from The New York Times. The attacker was not a terrorist group or an enemy state like Russia, China or Iran, as assumed in the simulation. It was a criminal blackmail episode. The goal was not to disturb the economy by cutting pipelines without an internet connection, but rather to keep company data for a ransom. The most obvious effects – long lines of nervous motorists at gas stations – stemmed not from the government’s response but from a decision by the victim, the Colonial Pipeline, which controls nearly half of the petrol, jet fuel and diesel flowing along the East Coast, to turn from the spigot. I did so out of concern that malware plaguing back office jobs might make it difficult to bill for fuel that is delivered along the pipeline or even spread into the pipeline operating system. What happened next was a vivid example of the difference between a table simulation and a chain of consequences that can follow even a relatively minor attack. The after-effects of the episode still persist, but some lessons are already clear, and it illustrates how far the government and private industry will have to go in preventing and dealing with cyberattacks and in establishing rapid backup systems until critical infrastructure goes down. In this case, the belief that pipeline operations are completely isolated from data systems shut down by DarkSide, a ransomware gang believed to operate outside of Russia, was incorrect. The company’s decision to shut down the pipeline sparked a series of dominos, including panic buying of pumps and a quiet fear within government that the damage could spread quickly. A confidential assessment prepared by the Energy and Homeland Security departments found that the country could only handle another three to five days with the Colonial pipeline shutdown before buses and other mass transit were forced to curtail operations due to a diesel shortage. The report said chemical plants and refining operations would also be closed because there would be no way to distribute what they produce. And while President Joe Biden’s aides announced efforts to find alternative ways to transport gasoline and jet fuel to the East Coast, none of them were implemented immediately. There was a shortage of truck drivers and tanker cars for trains. “Every vulnerability has been exposed,” said Dmitry Alberovic, who co-founded CrowdStrike, a cybersecurity company and heads the Silverado Policy Accelerator Research Center. “We learned a lot about what could go wrong. Unfortunately, our opponents did, too.” The list of lessons is long. Colonial, a private company, might have thought it had a firewall that wasn’t implementing, but it was easily hacked. Even after it paid extortionists nearly $ 5 million in digital currency to recover its data, the company found that the process of decrypting its data and restarting the pipeline was painfully slow, meaning it would be days before the East Coast returns to normal. “It’s not like hitting a light switch,” Biden said Thursday, noting that the 5,500-mile pipeline had not been closed before. For management, the event was a risky week in crisis management. Biden told aides, one recalls, that nothing could inflict political damage faster than television pictures of gas lines and rising prices, inevitably comparing them to Jimmy Carter’s worst moments as president. Biden feared that unless the pipeline resumed operations, panic subsided and price manipulation was eliminated in its infancy, the situation would fuel concerns that the economic recovery was still fragile and inflation was rising. Alongside a series of measures to move oil into trucks, trains and ships, Biden has published a long-running executive order that, for the first time, seeks to enforce changes in cybersecurity. He indicated that he was prepared to take steps the Obama administration was reluctant to take during the 2016 election hack – a straightforward measure to respond to the attackers. “We will also seek action to disrupt their ability to operate,” Biden said, a line that appears to imply that US Cyber ​​Command, the military’s electronic warfare force, is empowered to kick out DarkSide offline, just as another set of ransomware did in the fall. Before the presidential election. Hours later, the group’s websites disappeared. By early Friday, DarkSide and several other ransomware groups, including Babuk, which had infiltrated the Washington, D.C. Police Department, had announced that they would be out of the game. DarkSide hinted at an act of sabotage by an unspecified law enforcement agency, although it was not clear if it was the result of American action or pressure from Russia prior to Biden’s anticipated summit with President Vladimir Putin. The calm may simply reflect a decision by the ransomware gang to thwart revenge efforts by stopping its operations, perhaps temporarily. The Pentagon’s cyber leadership referred questions to the National Security Council, which declined to comment. The episode confirmed the emergence of a new “mixed threat”, a threat that may come from cyber criminals, but it is often tolerated, and sometimes even encouraged, by a country that believes that the attacks serve its interests. That’s why Biden singled out Russia – not as the culprit, but as the nation with more ransomware packages than any other country. Biden said: “We do not believe that the Russian government was involved in this attack, but we have strong reason to believe that the criminals who committed this attack live in Russia.” “We have been in direct contact with Moscow about the need for responsible countries to take action against these ransomware networks.” With DarkSide’s systems disrupted, it is unclear how the Biden administration will respond further, beyond the possible indictments and penalties, which have never previously deterred Russian cybercriminals. Responding with a cyberattack also carries the risk of escalation. The administration also has to take into account the fact that much of America’s vital infrastructure is privately owned and operated and remains ripe for attack. Todd, managing director of the nonprofit Cyber ​​Readiness Institute, said: “This attack revealed just how weak our resilience is.” “We think about the threat, while still not doing the basics to secure our critical infrastructure.” Some officials said the good news was that the Americans received a wake-up call. Congress came face to face with the fact that the federal government lacked the power to require companies that control more than 80% of the nation’s critical infrastructure to adopt minimum levels of cybersecurity. The bad news, they said, is that America’s adversaries – not just the superpowers but terrorists and cybercriminals – have only learned how little it is to incite chaos in a large part of the country, even if they don’t break into the core of the electrical grid. , Or operational control systems that move gasoline, water and propane around the country. Something as basic as a well-designed ransomware attack could easily do the job, while providing reasonable denial to countries like Russia, China, and Iran that often exploit third parties to conduct sensitive cyber operations. It still remains a mystery how DarkSide broke into Colonial’s business network for the first time. The privately owned company said almost nothing about how the attack happened, at least in public places. I waited four days before having any substantive discussions with management, forever during a cyberattack. Cybersecurity experts also indicate that Colonial Pipeline would never have to shut down its pipeline if it had more confidence in the decoupling of its business network and pipeline operations. “There has to be a separation between data management and the actual operating technology,” Todd said. “Not doing the basics is frankly unforgivable for a company that transports 45% of the gas to the East Coast.” Other pipeline operators in the US are deploying advanced firewalls between their data and their operations that only allow data to flow in one direction, outside the pipeline, and prevent a ransomware attack from spreading. Colonial Pipeline did not say whether it was deploying this level of security on the pipeline. Industry analysts say many critical infrastructure operators say installing such one-way gates along a 5,500-mile pipeline could be complicated or expensive. Others say the cost of deploying these safeguards is still cheaper than the losses from the potential disruption. Deterring the criminals of ransomware, which has grown in number and arrogant over the past few years, will certainly be more difficult than deterring states. But this week the urgency is clear. “It’s all fun and games when we steal each other’s money,” said Sue Gordon, a former deputy director of national intelligence and a longtime CIA analyst who specializes in cyber issues, at a conference called The Cipher Brief. Online Intelligence Newsletter. “When we tamper with society’s ability to act, we cannot afford it.” This article originally appeared in The New York Times. © 2021 The New York Times Company
0 Comments