OPSWAT Expands Vietnam Presence, Opens First Critical Infrastructure Protection Lab in Asia. Read More

Critical Infrastructure Protection – Lessons Learned from the Colonial Pipeline Attack

Colonial Pipeline Attack

Ransomware attacks on critical infrastructure have been a major concern for the last decade, and they have significantly increased over the last couple of months raising questions and concerns about how severe the impact of targeted cybersecurity attacks can be on governments, the economy, and our daily lives. The SolarWinds attack which targeted multiple government and private organizations, and the recent Colonial Pipeline attack, both prove that organizations and governments need to further strengthen their critical infrastructure protection to prevent future attacks.

The Colonial Pipeline, the largest refined products pipeline in the U.S. and a major supplier of gasoline and jet fuel to the East Coast shut down after a ransomware attack on May 7, 2021.

According to the FBI, a Russian-linked criminal organization called DarkSide is behind the attack. While the cybergang is not denying the attack, they claim to be an apolitical organization that operates to extort money from its victims.

Although the initial attack vector is unknown, we do know that after gaining initial access to the company’s network, they deployed DarkSide ransomware against the Colonial Pipeline IT network. In response to the cyberattack, the company has reported that they proactively disconnected certain Operational Technology (OT) systems to ensure the systems’ safety.

According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks "the new normal across several sectors including energy, healthcare, and transportation."

Ransomware Attacks

Ransomware attacks are one of the most common cyber-attacks today and OT environments in critical infrastructure sectors, unlike IT infrastructures in large enterprises, are often not well protected against modern malware-targeted attacks.

OT environments can become “easy” targets due to:

  • Lack of visibility of assets that exist or are brought inside the infrastructure
  • Insufficient processes for managing data exchanged inside and outside of isolated networks
  • Outdated systems and networks expose vulnerabilities for zero-day exploits

The most common ways for an attacker to gaining a foothold in an organizations network are:

  • Using malicious emails for phishing attacks with Google Drive links (e.g., DarkSide)
  • Using unprotected remotely accessible accounts and systems – RDP, VPN, VDI, etc.
  • Exploiting known vulnerabilities in externally facing applications – DarkSide is known for exploiting CVE-2021-20016 as was the case in the SonicWall SMA attack.
  • Using removable media which is not monitored or controlled to transfer files.

The list of mitigations published by the FBI can be found here.

OPSWAT Solutions

OPSWAT offers two platforms designed to protect critical infrastructure against ransomware and other advanced cyberattacks by preventing threats from getting into networks through data files or unknown devices.

MetaDefender Platform

MetaDefender uses OPSWAT's unique deep content disarm and reconstruction (Deep CDR) to remove threats from files by reconstructing the files and, in the process, stripping out potentially malicious content and scripts. MetaDefender also offers multiscanning, file-based vulnerability assessment and proactive data loss prevention (Proactive DLP).

MetaAccess Platform

MetaAccess keeps SaaS applications and cloud data safe and secure. It allows access based on device health and compliance to help administrators block risky devices from connecting to sensitive cloud data and SaaS applications.

Here’s a screenshot of the OPSWAT MetaDefender Kiosk in action, detecting the malware used in the Colonial Pipeline and the SolarWinds attacks.

Additional best practices to help reduce the attack surface and cybersecurity risks are available in the OPSWAT blog.

For more information on how OPSWAT can help protect your critical infrastructure, including OT, ICS, and SCADA assets, schedule a meeting with one of our cybersecurity experts.

This continues to be a developing story and we will update the blog as updates become available.

    Sign up for Blog updates!
    Get information and insight from the leader in advanced threat prevention.