In lieu of the recent ransomware cyber attacks on critical supply chain assets, Enigma Forensics analyzes two recent cyber attacks and what lessons we have learned.
Cyber attacks on our supply chain. Will it stop? Enigma Forensics is a cyber forensic company and our love for data security keeps us focused on the 4W’s and 1H of a Cyber Attack. Here’s the latest of two very important cyber attacks on our crucial supply chain.
Who was involved? What happened? When? Where? How did it happen?
On May 7, 2021,Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, experienced a ransomware cyberattack. Colonial Pipeline carries gasoline and jet fuel mainly to the Southeastern United States. The cyber attackers impacted computerized equipment managing the pipeline. They took the company offline and wanted a sizable ransom to reverse the cyber attack.
This pipeline disruption caused an immediate reaction. Americans felt a rise in gasoline prices, people were panic buying and there were crazy long lines at the pump. Some areas reported no gasoline at all. What was the company’s response? Colonial Pipeline’s CEO Joseph Blount reported, they learned the criminal cyber attackers infiltrated Colonial’s computers through a legacy or old virtual private network, commonly known as a V.P.N.
Joseph Blount, CEO of Colonial Pipeline paid approximately $5 million in Bitcoin ransom to the attackers. Blount told the Senate Homeland Security Committee at a hearing, paying the ransomware was the hardest decision of his career. Blount said he knew how critical Colonial’s pipeline is to the country and he put the interests of the country first. When asked about the security on the particular VPN that was hacked, Blount said it was not a two-factor security password that texts to a phone but single factor authentication using only a plain text password. He said it was more complicated than the typical Colonial123 password. Lesson learned?
Following the attack on Colonial Pipeline, another ransomware cyber-attack occurred on our supply chain.
JBS Meat Packing Hack (it rhymes!)
JBS is considered to be one of the largest meatpacking companies in the world. At the end of May, they reported cyber criminals used ransomware to take over the company’s network systems and stopped meat production. JBS revealed they made a payment of $11 million to a Russian-speaking ransomware gang called “REvil” to protect JBS meat plants from any further impact on farmers, grocery stores, and restaurants.
Why are we seeing a surge in targeting a crucial supply chain?
There are many contributing factors in the recent wave of hacking attacks. It’s a fact more folks are working from home and lack the cybersecurity necessary to guard against intrusions. Another large contributing factor is that software used to allow bad actors to break into a network system is more sophisticated and readily available. The largest factor is that the United States companies are more globally connected than ever before therefore increasing their exposure to cybercriminals.
Who’s in Charge?
You might be asking who is in charge. It’s the United States Department of Homeland Security (DHS). Its stated missions involve anti-terrorism, border security, immigration and customs, cybersecurity, and disaster prevention and management.
Cyber Security Prevention
June 10, 2021 – The Department of Homeland Security Cybersecurity and Infrastructure Security Agency unveiled guidance for defending against ransomware attacks targeting operational technology assets and control systems, in light of the rise in critical infrastructure attacks.
Energy is vital to our everyday life. Companies face a competing demand to preserve data and at the same time continue to function. Experts Lee Neubecker and Geary Sikich give advice on how to overcome these challenges.
The Energy Sector provides the global economy with oil, gasoline, electricity, wind and natural gas. An Energy Industry incident could be a physical attack on a power grid or a cyber attack that stops a company from functioning. The properly planned and orchestrated energy sector incident response will minimize or reduce recovery time and loss. Potentially saving lives! Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. strongly urge all companies to create an incident response plan.
This is the final segment in the four-part series on Energy Sector Cyber Insecurity.
Energy Sector Incident Response video transcript follows
Lee Neubecker: Hi I’m here again with Geary Sikich, and we’re continuing with our final fourth part segment in this discussion about global cyber insecurity as it relates to the energy sector. And in this segment, we’ll be telling you a little bit more about some of the things that need to happen, related to the incident response of a data breach, for the energy sector. Geary, thanks for coming back.
Geary Sikich: Thanks Lee for having me. I think this is, probably one of those areas that are challenging to talk about.
LN: Yeah, certainly, and at the forefront, when things first go wrong, there’s a need to immediately take action to help preserve the data, and collect data so that it can be analyzed. But at the same time, there’s a competing demand for wanting the organization to function. And sometimes those two needs, create conflicts.
GS: Yeah, they sort of butt heads if you will. Yeah, I think the issue for a number of organizations, and I’ve experienced being in the kind of command center if you will, of organizations where their website had gone down. And it was, one of these where a lot of stuff was processed through the portals that they had there. Suddenly there was this pressure to get things back up, and then to look at, what is this costing us? Because now our customers cannot execute their orders and whatnot. And that becomes a challenge because it’s the urgency issue. The other aspect is that when we look at incident response, and this is a little bit different from the typical natural disaster incident response. If I’ve been breached in a cyber incident, how long is it before I actually realize that I’ve been breached? It may not happen very quickly, it could be very subtle. And things could be manipulated, and suddenly I’m in a situation like some of the big companies that had data hack, where all the sudden personal accounts of cardholders are exposed. Now, what do I do? So there’s a lot of not the only rapid response that’s needed, but a lot of consequence analysis that’s really needed.
LN: Is it?
GS: How do you do that and yet maintain, as you were saying, and begin to look at that.
GS: From, not really a legal standpoint, but, from a defensive standpoint.
LN: Yeah, well there’s a lot that needs to happen in a short period of time, you have the collection and preservation. Which, forensic professionals are often called in, such as myself. To collect the data. Firewalls, servers, logs. Then you also have the analysis of that data to determine, what are the motivations of the attacker? Was it an attacker? Was it negligence? You know, oftentimes things go down, people assume it’s a cyber attack, external. It could be an internal attack, it could just be something as innocent as, I’ve seen a new system coming online that’s supposed to help back up and provide redundancy, actually reformat a storage NAS array, that it was supposed to help protect. So, these things can happen. And quickly understanding, making sure that data doesn’t disappear that could be used to rebuild is important And that’s where bringing in the outsider’s important because someone new coming in doesn’t have skin in the game. And, you really need that objective party, to help you figure out what’s happening.
GS: But I think that in that respect when you bring in someone from outside, they also have a vested interest in making sure that, from not only a reputation standpoint but also from the standpoint of the viability of their services, making sure that they’re helping to alleviate the issue. And to bring back some, equilibrium if you will. So there’s this issue of consequence management that comes to bear on those–
LN: And you have some conflicts that happen with having the people that were, kind of in charge of watching over the equipment, do the investigation. And that can cause some, serious problems to the organization. And it may be very well that, the attack wasn’t the fault of the people responsible for managing it. But, if for instance there was, an action that took place that might show some carelessness or mishandling of events by the people in charge of IT, there’s a real risk there that, that person might take actions that could result in further data destruction. In an effort to cover up, what had happened.
GS: So now in that respect, we need to protect, we need to begin to look at how we manage the data collection post-incident, or during an incident, if you will. There obviously some legal ramifications.
LN: Yeah well whoever does this might have to testify. And that’s another reason why having a third party come in to do this work is important. Because you may want, legal may want to know, “well before we put an expert up to testify in this, “just tell us what happened and how do we respond? “How do we get ahead of this?” If it was a problem with a vendor, you want to know that. Because the clocks ticking. You know from the time a data breach is confirmed, it is a real data breach and known, to the time it has to be reported, oftentimes its thirty days. So there’s not a lot of time, to wait around If your data breached before you get in your expert, your forensic expert to inspect.
GS: Okay, so we’ve got a legal consideration, that has to be looked at. Insurance today has changed in a lot of respects. So, business interruption insurance. Obviously, that’s a critical area because if you want to file a claim–
LN: Yeah you have to report it to the carrier, or even if you have cyber coverage, it might not be covered if you failed to notify the insurance company of the incident.
GS: So, when I look at that aspect and say, “I’ve got a business interruption policy,” you mention cyber. And now I know that there are other writers to those policies. Like for terrorism and things like that today. If I don’t have a cyber writer, which is a contingent business interruption issue, my business interruption insurance may not cover me, on something like that. So it really becomes more incumbent to have one, the knowledge, two, to be able to look at the legal considerations, three, to begin to understand insurance laws, what do I have from a coverage standpoint? Which is where the traditional risk management group comes into play. But IT’s got to coordinate with them, to ensure all that.
LN: Exactly, and I had Todd Rowe on my show, who’s an insurance cyber attorney, that deals with these coverage issues. So, that’s an excellent video to watch that delves into that more. The other things though with incident response, you know you have the potential PR issues that relate to being data breached. So really, you need to assemble your team, your in-house legal, your HR, your media advisor. Preferably you have a PR firm that has dealt with data breaches before. And then, you’ve got to put together a plan. And all this stuff needs to be going on in parallel. So while that’s happening, your internal people are probably trying to work on, getting their disaster recovery systems restored. You might even have an outside IT provider come in and help bring those systems back up online. The workload that happens when a data breach has occurred, is such that it really isn’t pragmatic or practical to try to have internal IT do all the work. And it also isn’t covered by insurance typically. The outside providers will usually be covered, but not the internal people.
GS: So, if from a structural standpoint, and I’ll draw this to the areas that I worked in many years back after some of the events in the energy industry. Oil spills and things like that. Where industries adopted what they called an incident command system. The United States now has the National Incident Management System. So with cyber though, the composition, in terms of that team, is not necessarily the same that we would see in a typical, incident command system as is generally presented. So from a functional standpoint, I think that there are some things that I would look at. One, somebody’s got to be in charge. Two, somebody’s got to look at planning. What’s going on, and future planning, what do we do? Three, operationally, what’s effected what’s not affected? How do we keep it from cascading? Four, a communications perspective. Internal and external. An administrative function, which looks at the financial aspects. An infrastructure function, which again, internal-external infrastructure. And then, the aspect of, you know, bringing this all together as a team. Your HR people, all these other things. So, yeah.
LN: That was an excellent wrap-up Geary. I really appreciate you being on the show. If you liked this video, please share it. And check out the other segments we did as well. Thanks again Geary for being on the show.
GS: Thank you, Lee. Very challenging to present on this topic. So much.
LN: Be safe.
Watch the other segments in our Cyber Insecurity in the Energy Sector Series.