Our critical infrastructure is seriously at risk. Ask Colonial Pipeline what their MTTR is...
...we are now entering day 6+ of the Colonial Pipeline Ransomeware attack. For years cyber-sec experts have repeatedly sounded the alarms & the need to harden our Critical Infrastructure continues
Colonial Pipeline…
Founded in 1961 and headquartered in Alpharetta GA. The construction of the pipeline began in 1962. The pipeline length is approximately 5,500-miles
Current estimates indicate that this particular pipeline delivers approximately 45% of the fuel used along the Eastern East-Coast. But the recent malware attack
"is the largest U.S. refined products pipeline system and can carry more than 3 million barrels of gasoline, diesel and jet fuel between the U.S. Gulf Coast and the New York Harbor area."
Colonial Pipeline Timeline:
To date very little information has been released by both Colonial Pipeline1 and the Department of Energy or the FBI. And what information that has been released doesn’t provide a sufficient disclosure of the how, why, what, when of this neat catastrophic cyber attack.
The Mean Time To Repair (MTTR) has been one of the slowest in recent memory. We are now entering day 6+ and Colonial Pipeline hasn’t actually remedied the intrusion and the ripple effects are now starting to directly impact Americans on the East Coast.
Meaning many gas stations no longer have gas to sell to Americans. Again day 6+ is like a lifetime in the cyber world. However below are the various updates Colonial Pipeline has provided on their website.
published on Saturday, May 8, 12:30 p.m.
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems…”
published on Sunday, May 9, 5:10 p.m.
“We have remained in contact with law enforcement and other federal agencies, including the Department of Energy who is leading the Federal Government response.
Maintaining the operational security of our pipeline, in addition to safely bringing our systems back online, remain our highest priorities. Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline…”
published on Monday, May 10, 12:25 p.m.
“…In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems. To restore service, we must work to ensure that each of these systems can be brought back online safely.
While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The Company will provide updates as restoration efforts progress.
published on Monday, May 10, 7:50 p.m.
“…We can now report that Line 4, which runs from Greensboro, N.C., to Woodbine, Md., is operating under manual control for a limited period of time while existing inventory is available. As previously announced, while our main lines continue to be offline, some smaller lateral lines between terminals and delivery points are now operational as well. We continue to evaluate product inventory in storage tanks at our facilities and others along our system and are working with our shippers to move this product to terminals for local delivery…”
published on Tuesday, May 11, 5:15 p.m.
“…Markets experiencing supply constraints and/or not serviced by other fuel delivery systems are being prioritized. We are collaborating with the Department of Energy (DOE) to evaluate market conditions to support this prioritization.
Since our pipeline system was taken offline, working with our shippers, Colonial has delivered approximately 967,000 barrels (~41 million gallons) to various delivery points along our system. This includes delivery into the following markets: Atlanta, Ga., Belton and Spartanburg, S.C., Charlotte and Greensboro, N.C., Baltimore, Md., and Woodbury and Linden N.J.”
US DOT issues a Temporary Exemption;
On May 9, 2021 the U.S. Department of Transportation’s Federal Motor Carrier Administration Issues Temporary Hours of Service Exemption in Response to the Unanticipated Shutdown of the Colonial Pipeline
ESC-SSC-WSC - Regional Emergency Declaration 2021-002 - 05-09-2021
Declaration addresses the emergency conditions creating a need for immediate transportation of gasoline, diesel, jet fuel, and other refined petroleum products and provides necessary relief. Affected States and jurisdictions included in this Emergency Declaration (“Affected States”) are: Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.
By execution of this Emergency Declaration, motor carriers and drivers providing direct assistance to the emergency in the Affected States in direct support of relief efforts related to the shortages of gasoline, diesel, jet fuel, and other refined petroleum products due to the shutdown, partial shutdown, and/or manual operation of the Colonial pipeline system are granted relief from Parts 390 through 399 of Title 49 Code of Federal Regulations2 except as restricted herein.
In accordance with 49 CFR § 390.233, this declaration is effective immediately and shall remain in effect until the end of the emergency (as defined in 49 CFR § 390.5) or until 11:59 P.M. (ET), June 8, 2021, whichever is earlier. FMCSA intends to continually review the status of this Emergency Declaration and may take action to modify or terminate the Emergency Declaration sooner if conditions warrant.
FBI concludes “DarkSide” is responsible
“DarkSide” was first discovered in mid-August 2020 by Kaspersky researchers. That said no my position remains unchanged as it relates to Kaspersky. And generally speaking and thus I often take their “new discovery” with a massive grain of salt.
At the time, Kaspersky researchers made a few observations about criminal hacking Group aka “DarkSide” —at the time I recall being kind of mystified as Kaspersky was “really selling the altruistic card/narrative” that I instinctively felt like a force or contrived cyber security assessment.
Targets only English-speaking countries, while avoiding former Soviet countries
Does not attack hospitals, hospices, schools, universities, non-profit organizations, or government agencies
Uses Salsa20 with the custom matrix and RSA-1024 encryption algorithms
Ransoms range from $200,000 to $2,000,000.
That said BleepingComputer wrote a pretty decent and detailed article - entitled; DarkSide: New targeted ransomware demands million dollar ransoms - as noted by both the Malware Hunting Team.
Back in October of 2020 the BBC published the following article which explained how DarkSide donated the purloined money to various charities.
Mysterious 'Robin Hood' hackers donating stolen money -
A hacking group is donating stolen money to charity in what is seen as a mysterious first for cyber-crime that's puzzling experts.
Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to "make the world a better place".
In a post on the dark web, the gang posted receipts for $10,000 in Bitcoin donations to two charities.
One of them, Children International, says it will not be keeping the money. The move is being seen as a strange and troubling development, both morally and legally.
Joint CISA-FBI Cybersecurity Advisory on DarkSide Ransomware
Late yesterday afternoon published the following Alert, which reads in part:
on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against a critical infrastructure (CI) company.
Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data. These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.
FBI and CISA Product ID: A20-131A
Also on May 11, 2021 the FBI and CISA published (which was also updated on May 12, 2021 with additional Resources/Links)
DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks -pdf
Congress, Pipelines now what?
Yesterday the Chairs of the Homeland Security Committee and the Transportation & Infrastructure Committee sent a letter to White House National Security Advisor Jake Sullivan on the national security and economic security implications of the Colonial Pipeline Company ransomware attack, which could lead to rising fuel costs and fuel shortages. The members wrote:
As we have repeatedly stressed, cybersecurity is no longer just an ‘IT issue’ but instead an economic and national security challenge that can have real-world impacts to our security. It is imperative that the federal response is rapid, clear, and consistent…
In addition to a more detailed understanding of the cyber forensics of the incident response and more formal adversary attribution, we want to make sure there is interagency clarity in roles and responsibilities between the National Security Council, CISA, Sector Risk Management Agencies, and the Federal Bureau of Investigation…Now is a time to focus on critical infrastructure resilience, not relitigate federal turf battles.”
Say thank you to VOLUNTARY GUIDELINES
The TSA has failed to issue any such regulations - which would be mandatory for pipeline operators and other operators of critical infrastructure. Meaning Americans are “at the mercy” of these for-profit entities “industry compliance with voluntary guidelines for pipeline physical security and cybersecurity”
Ironically both TSA and the pipeline industry have forever maintained any such mandatory regulations are “unnecessary because pipeline operators have voluntarily implemented security programs”
Moreover and specifically with respect to cybersecurity threats, TSA has testified that “they are emerging— much faster than the Government’s ability to write regulations to address them.” As noted (see footnotes) in 2018 Government Accountability Office report identified numerous weaknesses within the TSA’s pipeline security program, as the GAO report itemized aforementioned weaknesses include: inadequate staffing, outdated risk assessments, and uncertainty about the content and effectiveness of its security standards.
The Federal Pipeline Security Program4
Pipelines are part of the surface transportation critical infrastructure sector. The Transportation Security Administration (TSA) within the Department of Homeland Security (DHS) administers the federal program for pipeline security. The Aviation and Transportation Security Act of 2001 (P.L. 107-71), which established TSA, authorized the agency “to issue, rescind, and revise such regulations as are necessary” to carry out its functions (§101) - The Implementing Recommendations of the 9/11 Commission Act of 2007 (P.L. 110-53) directs TSA to promulgate pipeline security regulations and carry out necessary inspection and enforcement if the agency determines that regulations are appropriate (§1557(d))
April 2021 TSA Pipeline Security Guidelines
Pipeline Cybersecurity Initiative (PCI) Fact Sheet
Pipeline Cyber Risk Mitigation Infographic
Pipeline Cybersecurity Resources Library
TSA Pipeline Security Guidelines
Pipeline Cybersecurity
This isn’t new and one has to wonder why cyber security protocols are often voluntary. Congress knows the remedy but then the conundrum of “freedom and liberty” and undoubtedly the intellectually stunted “hands off my pipeline” nonsense that is amplified by folks like Cruz, Hawley, Gosar etc.
With literally any Internet-enabled technology, the computer systems used to operate much of the pipeline system are increasingly vulnerable to outside manipulation and intrusion which can be incredibly disruptive.
An attacker can exploit a pipeline command and control system(s) in a variety of ways to disrupt and/or damage pipelines. These known cybersecurity risks have been known for YEARS:
2012 after reports of a series of cyber intrusions among U.S. natural gas pipeline operators.
2017 Department of Energy (DOE) staff report highlighted the electric power sector’s growing reliance upon natural gas-fired generation and, as a result, security vulnerabilities associated with pipeline gas supplies
April 2018, new cyberattacks reportedly caused the shutdown of the customer communications systems (separate from operation systems) at four of the nation’s largest natural gas pipeline companies.
January 2019, congressional testimony by the Director of National Intelligence singled out gas pipelines as critical infrastructure vulnerable to cyberattacks which could cause disruption “for days to weeks.”
In short maybe the TSA and Pipeline Operators need to pull the ripcord and make the “voluntary guidelines” M-A-N-D-A-T-O-R-Y requiring annual certification, unannounced physical inspections, bi-annual audits of a pipeline operator’s cyber security policies. But meh whadda I know beyond - welcome to my wheelhouse where some of us have lobbied for years and sounded the alarm for the too cozy relationship pipeline operators have with both the TSA, US DOT and DOE. Assohlic troglodytes you should have listened to us back in 2007 versus brushing off the concerns of voluntary versus mandatory wasn’t Government overreach. Because here we are - exactly where some of us feared we would be.
Now if you’ll excuse me, I have the sudden urge to run into the ocean and release a primal scream under water…
Addendum (because I was kind of distracted by the waves) - Chairman Glick gets it and I applaud his forceful statement for guidelines to be mandatory;
It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.
Therefore, I am pleased that Commissioner Clements is joining me today in my longstanding calls for mandatory cybersecurity standards for our nation’s pipeline infrastructure.”
Colonial Pipeline Media Statement(s) and updates on outages and constraints on supply - last visited May 11, 2021 https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption
Federal Motor Vehicle Safety Administration (FMVSA -US DOT) - Section § 390.23: Relief from regulations. Last visited May 11, 2021 https://www.fmcsa.dot.gov/regulations/title49/section/390.23
49 CFR § 390.23 - Federal Motor Carrier Safety Administration, DOT -last visited May 11, 2021 Government Printing Office - https://www.govinfo.gov/content/pkg/CFR-2010-title49-vol5/pdf/CFR-2010-title49-vol5-sec390-23.pdf
DHS/TSA/CISA Pipeline Resource Page - https://www.cisa.gov/pipeline-cybersecurity-initiative
May 1, 2019 — Several federal and private entities have roles in pipeline security. TSA is primarily responsible for the federal oversight of pipeline physical security and cybersecurity.
GAO-19-426, CRITICAL INFRASTRUCTURE PROTECTION: Key Pipeline Security Documents Need to Reflect Current Operating Environment - Jun 5, 2019 — plan, TSA could better ensure it addresses changes in pipeline security threats and federal law and policy related to cybersecurity, incident management and. DHS's terrorism alert system
Hi. I haven't read the entire file - but I noticed your comment about kaspersky - I have been trying to find out if experts believe Russia was so successful in infiltrating our computer software & systems because so many people used to run Kaspersky "anti-virus" software years ago. I worked for the Federal Govt (Dept of Army) until 2005 and back then our contractors were recommending Kaspersky for us on our home computers. We also would sometimes bring jump drives from home & use them at work. I don't know if the Corps of Engineers ran Kaspersky on their servers or not - but I have wondered for years if that was a back door for Russia to infiltrate our personal & possibly government computers & systems. That's it. My question/comment. Thanks.
Assohlic troglodytes
"gotta find a woman".
He'd go down to the lake where all the women would be swimming or washing clothes or something. He'd look around and just reach in and grab one. "Come here...come here".
He'd grab her by the hair."
sounds about right for QOP today