26 January 2022
Energy Cyber Threat
by Doug Horne
Our CEO, Leo Dixon, moderated the Energy Cyber Threat session at the Energy Insurance London 2021 Conference in October, which featured a panel of experts: Georgina Williams (Senior Cyber Underwriter, Munich Re), Daniel Leahy (Senior Account Executive, Cyber & Technology Solutions, Howden Group) and Matthew Lane (Director and Co-Founder X-Cyber Group).
The panel discussed the cyber-attack on the Colonial Pipeline Company (operator of the Colonial pipeline) on 7th May 2021.
This article highlights the characteristics of the attack and explores some key observations.
The Pipeline
The 5,500 miles (8,850 km) long Colonial Pipeline consists of two tubes capable of carrying 2.5 million barrels of fuel per day between Texas and New York. This equates to 45% of the US East Coast’s fuel requirement, including petrol, diesel, home heating oil, jet fuel and military supplies.
Chronology of Events
7th May | A statement appeared on the Colonial Pipeline Company’s website confirming it had suffered a cyber-attack. Using compromised credentials (eg usernames and passwords), cybercriminals accessed its Internet-facing IT systems, and installed and executed ransomware including the company’s financial system servers. While its Operational Technology systems (OT) were not impacted, to prevent the cybercriminals from moving laterally across the network which could have threatened the safe operation of the pipeline, Colonial pro-actively shut down the entire pipeline. Only hours after the attack, the Colonial Pipeline Company paid a $4.4m ransom in Bitcoin to DarkSide, a notorious cybercriminal group. The FBI, Department of Energy, and Department of Homeland Security’s Cyber and Infrastructure Security Agency were all involved in investigating the incident, which was also reported to President Biden. |
9th May | The company was able to restore the operation on some smaller lateral lines between terminals and delivery points |
10th May | DarkSide published an apology on their website claiming its partners were responsible for the attack’s consequences: “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences for the future.” |
12th May | The operator initiated a restart of the pipeline |
13th May | The operator resumed fuel deliveries in most of its markets but warned it would take some time for the product delivery supply chain to return to normal. President Biden signed an executive order to strengthen the US Government’s cyber capabilities. |
14th May | DarkSide’s developers announced they had lost access to part of their infrastructure. They claimed the ransom money, including their own and ‘client / affiliate monies’ had been moved to an unknown address. Whilst they promised to pay monies to their clients / affiliates by 23rd May 2021, they announced that the service and the ‘affiliate program’ were discontinued. Georgie Williams of Munich Re made the point that this would only be a temporary interruption for these cybercriminals; “the expectation is they will reappear under a new name within months.” |
Wider consequences
The pipeline shutdown and resulting suspension of fuel supplies led to increasingly dramatic consequences and 17 states declared a ‘state of emergency’. Media coverage showed long queues at fuel stations as consumers started to panic-buy, fuel prices spiked and supplies ran dry. At one point during overnight trading, futures hit their highest level in nearly three years as traders assessed the impact on the largest pipeline carrying fuel from the Gulf Coast to the Northeast. Ultimately, the FBI retrieved 50% of the original ransom payment. Dan Leahy of Howden Group commented on this successful recovery.
“This is the first time we’ve seen traceability of cryptocurrency, which is good news as it acts as a deterrent to ransomware gangs.”
Employees and civilians at risk
Clearly, in the case of the Colonial Pipeline Company attack, DarkSide’s aim was to extort money rather than force a shutdown of the pipeline or precipitate knock-on disruption. But what we can say with near certainty is that DarkSide won’t be the last cybercriminal gang to hack into an energy company and cause unintended consequences. The clear and present danger for the energy industry is the threat of cybercriminals not only interrupting their business operations, but putting the lives of employees and civilians at risk to quench their thirst for ransom payments.
Conclusion: More sophisticated attacks
The International Energy Agency cautions that threat actors are becoming increasingly sophisticated at carrying out attacks, both in their ability to identify system vulnerabilities and maximise destructive capability. Matthew Lane of X Cyber Group opined: “Suggesting you’re not a target is simply redundant thinking if you are using a computer of any type.”
Leo Dixon of Integra concludes: “For energy, and indeed all industrial and manufacturing companies, it is imperative they have certainty on the extent of the links between their IT and OT systems, such that ‘when and not if’ they experience a cyber-attack to their IT system, they know categorically to what extent their OT system is at risk.”