Staff at the Texas Reliability Entity warned utilities this week that they need to keep working on the systemic weaknesses that led to last year’s Colonial Pipeline shutdown.
The ransomware attack on Colonial led the company to shut down its entire 5,500-mile pipeline network for almost a week. The network transports more than 100 million gallons of petroleum products daily, supplying about 45% of all fuel consumed on the U.S. East Coast. (See Biden Directs Federal Cybersecurity Overhaul.)
Although the hackers — identified by the FBI as the Eastern European cybercrime group DarkSide — did not manage to compromise the company’s operational technology (OT) systems, they did encrypt several computer systems, including the billing system. This led the company to shut down the pipeline because it had no way to bill customers for their fuel. The attackers demanded 75 Bitcoin (then about $4.4 million) in return for a decryption tool; Colonial CEO Joseph Blount authorized paying the ransom, though subsequent media reports alleged that the tool worked so slowly that the company decided to restore its systems from backups instead.
At Thursday’s Talk with Texas RE, William Sanders, a cybersecurity principal at the regional entity, reminded attendees that incidents like the Colonial attack don’t need to involve sophisticated hacking techniques; in many cases, simple carelessness provides plenty of opportunities for hackers to get a foothold in a system. Vulnerabilities such as recycling user names and passwords from one system to another are easy to warn against but can be incredibly hard to eradicate.
“Studies have shown that over half of respondents are reusing passwords … and of those, 44% admitted to reusing passwords between personal and work accounts. So this can be very problematic,” he said.
Password reuse may have enabled DarkSide to first gain entry into the Colonial network. The hackers used the password of an employee to gain access to Colonial’s system on April 29, initially performing reconnaissance before launching their attack several days later. But access alone was not enough to cripple the company, because several other often repeated security recommendations had to be ignored for the gang to infiltrate critical systems.
“We don’t know how the password was acquired, but it has been discovered in a Dark Web leak, so the password is publicly available,” Sanders said. “It’s possible that the Colonial Pipeline employee had reused a password between work and personal accounts, and the Colonial account was no longer in use, but it had not been disabled; it was still enabled and had access to their VPN [virtual private network] … and the VPN did not require multifactor authentication.”
While NERC’s Critical Infrastructure Protection (CIP) reliability standards already require changing passwords at least every 15 months, Sanders observed that this only applies to high- and medium-impact bulk electric system (BES) cyber systems. However, the Colonial incident shows that low-impact systems — even non-OT systems like billing — may also be used to impact an entity’s operations.
For this reason utilities should consider requiring users of other networks to change their passwords frequently too — though changing passwords too often may cause employees to reuse or cycle through credentials, which should also be avoided.
Sanders suggested utilities can consider expanding other CIP requirements that don’t currently apply to low-impact systems, such as disabling accounts that are no longer needed and implementing multifactor authentication wherever feasible.
“Accounts protected with multifactor authentication are 99% less likely to be compromised,” Sanders said. “It’s still possible for them to be compromised, but the level of sophistication and effort [needed] is much greater than [for] those accounts that are only protected with a single-factor password.”