A major US fuel pipeline operator recently announced that it had been hit by ransomware, a type of cyberattack in which hackers encrypt important data so its owners can’t access it – unless the owners pay the criminals to do it to unlock the information. Colonial Pipeline, a privately owned company that transports nearly half of the gasoline and other fuel on the US East Coast, was forced to shut down 5,500 miles of its fuel pipeline. The FBI has blamed the attack on a criminal group called DarkSide.
Unlike ransomware, which is used to hijack a person’s computer files, lock down a university network, or blackmail a hospital, attacks on critical infrastructure like the Colonial Pipeline’s fuel pipeline can have a huge impact on entire regions of the country. DarkSide’s ransomware caused quite a significant disruption to the fuel supply on the east coast and sparked a range of political interference and administrative responses [of President Joe Biden] about trying to simplify the transportation of fuel and mitigate the impact, ”said Josephine Wolff, assistant professor of cybersecurity policy at Tufts University. Scientific American spoke to Wolff about the ransomware threat, how vulnerable the US critical infrastructure really is – and what can be done to protect it.
[An edited transcript of the interview follows.]
Are ransomware attacks becoming more common?
It’s hard to find really good numbers because [there are] Lots of ransomware attacks that we don’t hear about publicly. Most of the time there is no need to report them. But those we hear of are clearly not only becoming more numerous but also more significant in their effects. If we think back a few years, the city of Atlanta, the city of Baltimore, we had a series of attacks that focused on public government and used ransomware. More recently, there has been a lot of emphasis on attacks against hospitals and healthcare providers. And although we saw fewer examples of this in the background, such attacks threatened: to target critical infrastructures that would significantly disrupt operations and daily life.
Besides pipelines, what other types of infrastructure are at risk?
The typical example that people use is the power grid. What if someone is able to cut off electricity in one part of the country? The shutdown of the Colonial Pipeline, while not exactly that, fits into the nightmare scenario “What do we do when we lose control of our energy infrastructure?” However, this applies to a number of critical infrastructure sectors. What happens when a large part of the banking infrastructure is down or inaccessible? What happens when the metro system in a big city is compromised and it is impossible to plan trains or carry out transport? Up until this point, we’ve mostly just imagined these scenarios. There have been some high profile examples of the energy sector being targeted, but this is still a fairly rare occurrence – and quite noticeable for that reason.
Are these systems adequately protected?
The general answer is that nothing in our energy sector is likely to be adequately protected. It is a sector with an enormous number of legacy systems and complex infrastructure, and it is a sector that must always be operational. So it is not easy to say, “It will take us a week, a month or a year to completely overhaul everything and update all systems.”
How can these potential targets be better defended?
First and foremost, they should really try to block their perimeter defenses – that is, any security controls they use to prevent malware from getting onto their computers in the first place. This could be, for example, two-factor authentication, email alerts for external emails, and checking new USB drives or other devices connected to your system. I think there should be a lot of controls (especially now, at a time when a lot of people are working from home) to ensure remote access – the computers that connect to your system from outside your office.
A large [defense] is what we would call network segmentation: make sure that it is very, very difficult to spread this malware across the larger network when part of a company’s infrastructure is compromised and targeted. One of the things that is pretty noticeable about this story is that the Colonial Pipeline shut down more than 5,000 miles of pipeline. To me that either indicates that a very large part of his system has been compromised or that [the company is] concerned that it might be very easy. Ideally, an initial compromise would not have that big an impact.
Another point is the consideration of how you can bring systems back into operation very quickly, since with critical infrastructures you do not have much time to take everything offline. There are many quick decisions to be made. There is a lot to be said in trying to do some test exercise and make sure that there is a really clear plan in place for such a situation. I also think this helps discourage ransom – so people feel, “We trained for this; We know what to do ”as opposed to“ We have never seen anything like it before. I think we have to pay. “
Beyond systems, what should the government do to help?
I would like a much stricter ban on paying most ransom payments. This is my opinion; That is not everyone’s opinion. But what can the US government do unilaterally? Trying to make this a less profitable endeavor in the long run is one of the most effective things we could do. [Cracking] I think it could make a huge difference in how much money these criminals can make – and therefore how many of them get into the business and use this as a way to profit.
What do we know about these criminals? How profitable is the ransomware industry?
We know it’s profitable because we know people keep doing it, and that’s actually the strongest indication that people keep making money. But it is very difficult to estimate precisely how much money they are making. The group that Colonial Pipeline Ransomware has been assigned is a criminal organization heavily focused on ransomware as a service, providing ransomware tools and code for customers to control their own attacks. This is important as this organization, DarkSide, is building this business not only to target businesses but also to make it easier for other criminals. That – again with no hard data – speaks a little for the extent of this problem.
Would we have more hard data if victims had to report ransomware attacks?
A notification requirement would at least help us to get a better grip on the size and extent of the problem. Indeed, if we made these statements like “ransomware is on the rise” or “2021 is the worst year for ransomware ever”, we would have some tougher data behind such generalizations. But I also think it would give us a lot more insight into: What are the criminals’ profit margins? Who pays them How much is paid How do we make ransomware a less profitable endeavor?