The Colonial Pipeline Attack Reveals Critical Infrastructure has a Password Problem.

Posted by The TruU Team on May 20, 2021
The TruU Team
It is hard to imagine all this started with an inconspicuous password breach.

Over the last couple of weeks, the Colonial Pipeline attack suddenly became a household event. Mainly because it started to impact the daily lives of everyday citizens. Gas, gasoline, and home heating oil deliveries were disrupted. People were driving to multiple gas stations just to find available gasoline. Yet behind the scenes there were larger and more critical consequences that were starting to play out. on May 12th, President Biden issued an executive order on improving the nation’s cybersecurity ; last week five million dollars in ransomware got paid out; one of the most notorious ransomware organizations suddenly announced they were going into a cooling off period. (More like waiting for things to cool down). 

Whether the attack pattern includes ransomware, injecting malware into a computer or application that could not score a fix with the latest updates, or even an insider attack; one aspect that seems to be a constant is that almost all attacks start with a compromised credential. In plain terms – a username and password combination that was stolen, a PKI certificate that was misappropriated, decrypted or in some fashion compromised to let the attacker in through the door. 

No one wants to discuss the mundane mechanics of exploiting passwords, account takeover (ATO) attacks or how staffers can be social engineered into revealing their information, or why they clicked on that phishy email from the company CEO asking for their mobile number at 2:00 am in the morning.  

What everyone wants to know is what did they do once they got in. So, while we are setting up all kinds of threat mitigation involving detonation chambers and sandboxes, extended end-point detection, trying to curtail privilege escalation, monitoring east-west movement of traffic in the datacenter and seeking out clues about the next distributed denial of service (DDoS) attacks, the password problem lives on complete with mother’s maiden name accompanied by the joy of clicking only on squares that contain crosswalks.

Critical Infrastructure operators in oil and gas, chemicals, utilities, transportation, critical manufacturing and many other essential sectors usually maintain an operational technology (OT) network that helps automate and control the industrial side of the business. Over the last decade corporate enterprise systems that run the business side of these organizations have been joined with the OT network to gain efficiencies within the enterprise and drive down cost. The benefits of IT-OT convergence are generally accepted and now widely implemented. However, this has also exposed vulnerabilities as weaknesses on either side can be exploited by cyber attackers. 

So, what caused the pipeline to be shut down? 

It is clear that the business-facing IT infrastructure at Colonial Pipeline was compromised. We do not know if attackers pivoted to the OT network to create a disruption in operations. It was initially suggested that the basic business processes like being able to receive orders, generate invoices and schedule deliveries were impacted. If you cannot ensure billing and no longer have visibility into delivery for millions of dollars’ worth of product, it would make perfect sense for the business to shut down their operations until they can reliably restore those functions.

Ransomware attackers usually setup remote access trojans (RATs) that are controlled centrally. These trojans will traverse through systems and applications seeking valuable information which they exfiltrate from the organizations. They will then use strong encryption tools to lock up enterprise data and systems and then demand a ransom to restore it. 

Protecting our operational systems and the corresponding OT networks from these types of attacks is an extreme imperative and while the industry segments they control are not very exciting or much talked about, our way of life really depends on having these key resources available. 

According to a Department of Homeland Security CISA Advisory that was first published on May 11th and then updated today (May 19th):

“The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of a ransomware attack affecting a critical infrastructure (CI) entity—a pipeline company—in the United States. Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network. At this time, there is no indication that the entity’s operational technology (OT) networks have been directly affected by the ransomware.”

Additional Advice Includes:

  1. Implementing Multi-Factor Authentication (MFA) to mitigate threat of compromised credentials. Widely deployed for web application access MFA enables workforce use of approved web applications via single sign-on. This keeps users from having to remember induvial passwords.

  2. Creating effective IT and OT network segmentation.
    Effective OT segmentation can keep the operational side running even is the IT network is breached. Use of technologies like unidirectional gateways can ensure linkage while making sure that attackers cannot find a path back to the OT network.

  3. Implementing Effective IT Security Best Practices (excerpted from the CISA advisory above): 
    • Enable strong spam filters. 
      Implement a user training program and simulated attacks for spearphishing to discourage users from opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
    • Filter network traffic. 
    • Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner.
    • Limit access to resources over networks, especially by restricting RDP.
    • Set antivirus/antimalware programs to conduct regular scans of IT network assets.
    • Implementing application allow listing.
Our Recommendation – Eliminating Passwords is Key.

As a leading provider of passwordless multi-factor authentication technology, we believe as technologists, that traditional MFA alone will not fully address the issue of compromised credentials. Entries in directory services such as Active Directory still contain passwords. Desktops and laptops starting up from cold boot still require passwords. Remote users still have to login to their devices before they can connect to their VPNs to access their corporate applications. 

If you eliminate the password, there is nothing left to steal making it virtually impossible to compromise the credential and harder to compromise the human user. TruU delivers a completely passwordless environment that allows users to leverage the biometrics on their smartphone combined with AI and ML to deliver risk-based signals making sure that only users that are meant to be authorized can gain access to computing and operational systems. Another cool benefit is that as we now return to the workplace, the same app enables your mobile phone to act as a virtual badge to unlock the doors to the corporate facilities. No passwords, no access badges. How cool is that!

For more information, please reach out to me at pkamal@truu.ai


Topics: Blog