The Colonial Pipeline Cyber Attack Explained with Will Taylor | NXT Up! Episode 15

How does a cyber attack lead to the shutdown of a major fuel supply for the East Coast? Why does it seem like cyber attacks on critical infrastructure are on the rise? And finally, what can companies do to protect themselves? Will Taylor, Senior Cybersecurity Consultant at NXTsoft, joins us to explain.

Thanks for watching - and remember to keep an eye out for future episodes of NXT Up! Live on the NXTsoft YouTube channel, Facebook  or LinkedIn.

Video transcript:

Ben Halbrooks:
Hey, everyone. Welcome to NXT Up! Live. I'm Ben Halbrooks, your host here at NXTsoft, and we get to talk about cybersecurity, fintech, and if you've never been with us before, a little bit behind the scenes here at NXTsoft. So today I have actually, if I'm correct on this, my first repeat guest: Will Taylor. So Will, you have the honor of being on now twice with me because we talked about election cybersecurity back in November, and now here we are to talk about the Colonial Pipeline hack. Will Taylor is Senior Cybersecurity Consultant at NXTsoft. So he's got some good things to say about this pipeline hack that has captured the attention of the nation. So Will, thanks for joining me.

Will Taylor:
Absolutely. Thanks for having me back. And I think this is how Ed McMahon got his job, if I'm not mistaken. He was a guest a couple of times and then-

Ben Halbrooks:
Uh-oh. That's the natural progression. It's started.

Will Taylor:
That's the goal.

Ben Halbrooks:
All right. So, most people, of course at this point, now we're a little bit over a week from the actual Colonial Pipeline ransomware attack, so obviously there's a lot of details we still don't know, as is usually the case with these kinds of things. But if you could just paint a picture for the non-technical of us, what happened? How does an IT hack lead to the shutdown or the halt of a major fuel supply for the east coast? I think I read 2.5 million barrels per day of fuel shipments were halted and I think Colonial Pipeline ended up paying $5 million, around about, to the hacking group. So how does that take place?

Will Taylor:
Really, the interesting thing is that it got in the news last week, but typically in this kind of situation, if you hear about it/by the time you hear about it, there has been so much work and, depending on whether or not the group that's been targeted or impacted has any kind of incident response plan or business continuity planning in place or anything else, they've probably been working on this for quite some time. It probably happened well before we ever heard about it. So there's also a lot to consider about the requirements on reporting and that kind of thing based on your industry or what state you're located in. And that's one thing too, from state to state, a lot of the reporting requirements are different. So by the time we heard about this, there had probably been days, if not weeks, of scramble, trying to figure out what happened.

And as far as the specifics of how it happened, there's nothing concrete out there about, it came in through phishing email, or they had an outdated firewall rule or whatever it might've been. So there hasn't been any official word on that. That may come out down the line, but given the fact that Colonial paid the ransom and that they're taking a very incremental approach, they took a very incremental approach. It seemed like forever to us because it was in the news and this is happening more and more too. It's national news now when these kinds of things happen, whereas it used to be, it was very niche, relegated to the corners of the internet, where internet security people and bad actors got their news. So it's international news and it seems like it's been forever, but they took an incremental approach.

They paid the ransom. It should be noted that it appears that this wasn't an operational target, they didn't target the operation side of the business, that it was an attack on the business side of the business. And the interesting part about that is, how could that lead to an operational shutdown? But the speculation is, if the business side of the business isn't running and you can't track your quantity of your product that you're shipping or selling, or you can't charge for it, then you're not going to ship it or charge for it. So there's a lot of speculation about how they got in or what they did and that Colonial had to go and actually shut down pieces of equipment that handle the flow of oil. And odds are, it's more likely that they had to stop the flow because they couldn't track, charge for, maintain any kind of inventory on what they were actually would have been piping through.

So that's really, I think the way it led to a shutdown in this case is that there's been breaches in the past that were targeting critical infrastructure. There have, all over the world, the Stuxnet variant that went around a while back was targeted specifically industrial and nuclear controls. And this doesn't appear to have been... The motivation appears to have been purely financial, that the bad actors found a way into the network by hook or by crook and their goal was not to shut down international travel or oil, certain gas supplies to the east coast, it was to get paid. So they might not have really even known, the bad actors, when they first hit the Colonial Pipeline or one of its subsidiaries or whatever, the impact of what they did was going to have.

And it was kind of funny to hear some of the chatter on the internet that one of the groups involved basically apologized, and it's like a little kid hitting a baseball through a window. "We were just having fun." And then we ended up shutting down tourism on the east coast for two weeks or whatever it was. But I think it was millions of barrels of oil a day. So really, it's kind of a chain reaction, kind of Dominoes, to watch it all fall. And I imagine if you were on the inside, it was even more frustrating because the operation side is technically still working, but whenever ransomware hits, you have to segment anything that might've been breached, anything that might've been compromised, you have to take it off the network. So to watch those dominoes fall, whether you're a bad actor or someone in IT working for Colonial Pipeline, it must've just been absolutely a feeling of despair to watch those dominoes fall.

Ben Halbrooks:
Yeah, absolutely. And to your point, obviously you live in the cyber world. So you know about all the incidents that have happened all over the world over the past couple decades, but your average person, this doesn't enter their newsfeed until it's something that really grabs their attention. And this was certainly one of those incidents that crossed over into mainstream media and all of a sudden, you take away American's ability to drive or travel or have proper transportation, and all of a sudden, they're "Whoa!" They've woken up.

So, it does make you wonder about intentions, regardless of what this hacking group's intentions were, it happened and it does happen. It does kind of make you wonder if they did have more malicious intent, could this have had even more widespread impact? So ransomware, I know you've mentioned, obviously this was a ransomware attack, and this seems like it's a growing trend, ransomware attacks, why is that? What's the deal with ransomware? It give us a quick overview of how that works.

Will Taylor:
So ransomware, crypto-malware, is a tool. It's a malicious tool that these bad actor groups, whether that's a state-sponsored group, advanced persistent threat is what those are typically called, or whether it's an ad hoc group, or an individual, what they're doing is... And the levels of sophistication vary wildly. A lot of these ransomware groups, the sophisticated ones, they have a plethora of automated tools that go out and are constantly searching. They're just basically scouring blocks of IP addresses and web addresses and email domains, trying to find a way in to the inside of the kind of castles that we build to protect our data, especially sensitive data. And the analogy I use a lot of times is these sophisticated groups, these organized groups, are the equivalent of somebody having multiple fishing lines out in the water at one time.

And they're just waiting on one of those fishing lines to move and to get a nibble. And a lot of them, that preliminary scouring of internet is very automated. It's using automated tools. They feed certain parameters into it. It's got a whole dictionary of vulnerabilities that's looking for across hundreds and thousands of IP addresses. And when they get a nibble, then a lot of the sophisticated groups, the second phase is also automated. They're going to run certain attempts to penetrate those vulnerabilities, open ports that they find, misconfigured firewalls, or whatever it may be. They're going to have a second phase that's also automated, but eventually if they get far enough in, they're going to dedicate some manpower, some resources, to try to leverage a way to get all the way into your network, search for sensitive data, encrypt it, encrypt, whole networks.

So it's not just that they're looking to get into your email, that's usually just their foot in the door. The reason that we're seeing such a rise, in my opinion, in ransomware, is because it just keeps working. If it ain't broke, don't fix it. And I think work from home has really ramped up a lot of this, but this is actually more like a six-year trend where we're seeing a rise in the number of crypto-malware and ransomware attacks. We're seeing more phishing; phishing attempts have gone up something like 435% since this time last year. These people are dedicated and dedicating a lot of resources and time. There's whole marketplaces on the dark web where you can go buy these tools and malware. Some of the higher-end ones even have a help desk.

So if you purchase malware from them and you're trying to use it and you can't get it to execute properly, you can email their help desk. So the reason all of this is happening, in my opinion, is it keeps working. They keep making money. Why would they stop? It's not a matter of why would someone do this? It's a matter of why would they stop? They're making money hand over fist, and frankly, in some of the places in the world where there's not that many other opportunities to work in IT, or maybe the pay scales where they are aren't nearly as high, and the ways they're making money are just lucrative. So really, ransomware is kind of a snake eating its own tail. The more that it's successful, the more people are going to try it and the more people are going to get involved with it.

And it really is, again, because of work from home, there's a lot more opportunity for these threat actors. And I think it seems like it's on the rise too, because so many of these events are starting to be in the national news, which to me is a good thing. This is not just an IT cyber security personnel problem. This is a problem for all of us. Like you said, we don't really care, most people don't care, until they can't get gas in their car or use their debit card at Target. God forbid, whatever it may be, most people don't care, but every once in a while, something like this rises to the surface and it really shakes us awake.

And I hate that these things keep happening. They're the bane of my existence. I've worked 20-some odd security incidents like this, and it's always I'm meeting people on the worst day of their professional life. I hate that it's happening, but I'm also not hating the fact that it's not just an IT team problem anymore. And we've known that for a while, people in cybersecurity and in IT, we've known that for a while. So it's a wake-up call, I think.

Ben Halbrooks:
Sure. Well, kind of jumping off of that, if it is a wake-up call, what can companies do to protect themselves? Sometimes this feels a little... You look at something like this and you feel a little powerless. You think, "Well, how am I going to stand up to that?" So what can they do? How should they respond?

Will Taylor:
I think the best way for us to respond, people who are on this side of these kinds of attacks or in cyber security, really it's pushing a lot of business leaders and gatekeepers and decision-makers to realize that we're investing all of our trust, and a little bit of our time, attention and dollars to this. And historically that's been the case. So for instance, if this ransomware event, and this is purely anecdotal, if this ransomware event happened because of a piece of third-party software that was in use on Colonial Pipeline's systems, hundreds... A major enterprise-level piece of software is developed by dozens and hundreds of people. There are project managers on that side of things, there are developers, there are testers, there's you name it. And then it gets implemented at company A or company Z or Colonial Pipeline.

And they have a very, very limited number of people who are dedicated full-time to cybersecurity. So there's really an imbalance. And I don't think it's possible to completely balance that out, or for Colonial Pipeline to have dozens and dozens and dozens of cybersecurity experts, or any company. The truth of the matter is right now, the cybersecurity industry has a 0% unemployment rate for a reason. A lot of people are starting to realize these things. So there are, I think, some things that we can do or to have a security of first approach with every piece of technology, every administrative function and decision we make, and operations.

So for instance, I work with several startups from time to time. And the thing I'm always stressing to them is, "Hey, you're on your way in, you don't have 20-year-old systems that you're having to integrate. You don't have legacy systems that somebody developed and then left your company. You literally have the ability to do it all from the beginning and think about security on your way up, on your way in." But I also work with a lot of very well-established, some of them financial institutions and large scale metropolitan, local governments, that they do have those concerns. And the thing I always stress to them is, it's not just the technology. It's empowering the people who are responsible for your cybersecurity to really push on the rest of your employees, a security first mentality, whether that's in user awareness training, cybersecurity training, whether that's giving that person who's in charge of cybersecurity, the authority to say, "No."

Cybersecurity guys are rarely the most popular people at the company because everyone's got great ideas about better ways to do things and faster ways to process and more efficient use of technology and resources, and the cybersecurity guy's job is to say, "No, not until we've vetted it. Not until we've considered the cybersecurity piece." And if you can develop a culture, I think developing a culture of security is so important, so that role, you may have one person in charge of that, one person in charge of cybersecurity, but it's everybody's responsibility. It's literally everyone's responsibility.

And the moment that you put it on, if you're unlucky, you're one cybersecurity person, if you're fortunate your cybersecurity team, then you're setting it up for a little bit of heartbreak if they don't have the ultimate authority on yes or no based on security. So I think there needs to be a culture shift within our businesses, and then even within our IT industry that it's security first. And if everybody starts from that place, then the destination can be whatever it needs to be. But a security first mentality, a security first culture, I think there's a million different tools to help with all of this.

There's a million different brands of firewalls and endpoint protection and antivirus and everything else. But if the culture and the mentality is not security first, then those tools are fighting, they're punching above their weight. And it's not a matter of if, it's a matter of when, your company gets impacted. Sometimes in my experience, that's kind of what it takes, unfortunately, is for it to impact a company in some way, whether that's directly or through a third-party, before there's that wake up moment. Like our nation is having right now where, "Oh, this is our problem. Oh, this is absolutely a part of my job, too." I think, in my opinion, that is literally the only way that this gets any better.

Ben Halbrooks:
Hmm. Yeah. And it's interesting that your answer wasn't just, "Hey, it's just better technology." It's really, like you're saying, at the core of it, we say at NXTsoft all the time, it's a people issue first, a culture, like you're saying. So hopefully this is that kind of event that helps business leaders and employees understand they need to be proactive rather than reactive. And to your point, obviously, sometimes, unfortunately, that's what it takes for a company to wake up when it would be so much better to be proactive. So we'll see if this is something that can be the beginning of a culture shift and-

Will Taylor:
It may be an opportunity for some businesses to take that approach of, we can learn from other company's mistakes and not wait for it to show up at your door.

Ben Halbrooks:
Absolutely. All right, Will, that's super helpful. I'll say to anyone watching, if you've got any other questions about this or anything that Will has brought up, leave them in the comments below. We'd love to hear from you and get back with you and Will, thanks again for your expertise.

Will Taylor:
Thanks.

Ben Halbrooks:
Appreciate it.