On May 7, 2021, Colonial Pipeline, the U.S’s top fuel pipeline operator, came under a ransomware attack that forced it to shut down all fuel operations temporarily. Colonial operates the largest refined products pipeline in the U.S., transporting 100 million gallons or 2.5 million barrels per day, according to its website. The pipeline also supplies the U.S. military.
The gang behind the attack, DarkSide, went for the company’s corporate network and not the operational network that controls fuel pipelines. However, these two networks aren’t “air-gapped,” leading to Colonial shutting down the pipeline as a precaution to contain the attack.
The shutdown has caused severe oil and gasoline shortages along the East and Southeast, with people along those regions panic-buying fuel. Colonial has released a statement saying it would take at least a week to resume pipeline operations after investigations and additional security measures, further exacerbating the shortage and the price hike. It also said it didn’t plan to pay the ransom demanded by the hackers.
How did the attackers get inside the network?
While the probe is still on, there are quite a few candidates that could’ve facilitated the infiltration, such as an unpatched vulnerability, a phishing email, a malicious website, etc.
However, the most promising candidate happens to be leaked credentials of users and machines connected to the internet. With many administrators using remote software to access systems because of the pandemic, getting their hands on the credentials has become a lot easier for hackers. Even without a leak, it’s possible for hackers to find out the remote login portals for computers connected to the internet and use brute force to get the usernames and passwords.
Preventing cyber attacks from the ground-up
When evading cyber attacks, it all comes down to how well the identities of both humans and machines are managed. From the SolarWinds hack to the Equifax breach to most likely the Colonial Pipeline Outage, almost every attack starts with a threat actor gaining access to the organization’s critical infrastructure by breaking or stealing a device or user’s credentials.
With remote work and digital transformation, the surface area for such attacks has grown exponentially. Most devices, such as laptops, mobile devices, and IoT endpoints, reside outside the organization’s network perimeter, as do the users. Distributed identities that lack centralized control and management pose an enormous risk to enterprise cybersecurity and are the key reason behind many recent cyber attacks.
Zero Trust Security
Implementing Zero Trust security is one of the most effective ways to field such attacks. With Zero Trust, even if an attacker compromises a device within the network, they cannot use the compromised device to gain access to other devices in the network, effectively containing the blast radius. Enterprises can implement Zero Trust through Multi-Factor Authentication (MFA), strict access controls, and micro-segmentation.
Digital Identity Management
Zero Trust is, however, a defensive strategy. Enterprises should ideally take steps to ensure their users, devices, and applications do not get compromised in the first place. The only way to ensure this is by managing identities.
Technologies such as Identity and Access Management (IAM), and Privileged Access Management (PAM), are used to secure user identities. Machine identities, which are made up of X.509 certificates and keys, still do not have an industry dedicated to them despite being a crucial part of cybersecurity.
However, several technology vendors are rising fast to fill this gap. These vendors provide full lifecycle management and automation of digital certificates and keys. They make sure keys are regenerated and certificates are renewed frequently, giving minimal leeway for attackers to use brute force to crack them or rendering the compromised identities useless for attackers.
Read how you can implement an effective machine identity strategy in your enterprise here.