Colonial Pipeline made headlines in May 2021 as the victim of a ransomware attack with far-reaching implications. Several months later, the company revealed that the impacts of the attack exceeded those of a ransomware infection.
The Colonial Pipeline breach was already a case study in why enterprises should move quickly to adopt a zero trust architecture to minimize their cyber risk. The scope of this data breach and the long delay in its discovery emphasize the impacts of failing to do so.
Inside the Colonial Pipeline Saga
In May 2021, Colonial Pipeline revealed that it was the victim of a ransomware attack by the DarkSide gang. The attackers infected the IT side of the company’s network with their ransomware, causing Colonial Pipeline to shut down their pipeline operations for nearly a week to protect them against the malware. The pipeline supplies roughly half of the fuel to the US East Coast, and its shutdown caused concern about the potential for terrorists to take advantage of the situation and prompted an Executive Order on improving cybersecurity. Colonial Pipeline chose to pay the ransom, but the poor performance of DarkSide’s decryptor caused them to abandon it and restore their systems from backups.
However, a ransomware infection was not the only impact of the attack to Colonial Pipeline. In August 2021, the company disclosed that it had recently discovered a data breach that was carried out as part of DarkSide’s attack campaign. Within the space of a couple of hours, the attackers stole hundreds of gigabytes of files, including the sensitive information of 5,810 individuals.
The Root Cause of the Colonial Pipeline Hack
Like many high-profile ransomware attacks, the Colonial Pipeline was determined not to be the result of a complex exploit by a sophisticated cybercriminal gang. Like SolarWinds, Colonial Pipeline’s security was compromised due to a leaked password.
The DarkSide hacking group gained access to Colonial Pipeline’s systems through a legacy virtual private network (VPN) that did not have multifactor authentication (MFA) enabled. Since VPNs provide unrestricted access to authenticated users, the DarkSide group was able to leverage this compromised password to steal Colonial Pipeline’s data and deploy ransomware on its network.
A Problem with Trust
The Colonial Pipeline incident demonstrates the risks and potential impacts of failing to transition to a zero trust security strategy. Under a zero trust model, all access requests for corporate assets are evaluated on a case-by-case basis with access granted or denied based upon role-based access controls and behavioral analytics. By limiting access to the bare minimum required by business needs, the company minimizes its cyber risk.
The Colonial Pipeline incident shows that the organization is still operating using a perimeter-based security strategy that violates several of the key tenets of a zero trust strategy. Some of the important shortcomings and their impacts include:
- Poor User Authentication: Access to Colonial Pipeline’s systems was protected by a VPN with MFA disabled. The risk of poor and compromised passwords is well documented, and they are no longer considered an adequate form of user authentication. If MFA had been active on the VPN, the DarkSide group would have been forced to choose another exploitation vector to carry out their attack.
- Use of Legacy Remote Access Solutions: Colonial Pipeline used a VPN for remote access to their IT environment. VPNs have no built-in access controls, allowing authenticated users full and unrestricted access to corporate resources. If Colonial Pipeline had been using zero trust network access (ZTNA) instead of a VPN, it is far less likely that the DarkSide group could have accessed the data that they stole or planted the ransomware that caused the pipeline to shut down.
- Lack of Network Segmentation: Colonial Pipeline shut down the operational technology (OT) side of their business (i.e., the pipeline itself) because of fears that the ransomware infection on the IT side would migrate over. This suggests that systems on the IT side of the organization’s network had access to OT systems that exceeded what was necessary for business operations.
- Failure to Properly Manage Data Access: The DarkSide group managed to access and steal over 100 GB of sensitive data from Colonial Pipeline’s network in a couple of hours. This data included protected information such as healthcare data, social security numbers (SSNs), and more. The fact that this data breach occurred at all and was only detected three months later reveals a lack of appropriate access controls and security monitoring for the sensitive data in the company’s possession.
Lessons Learned from the Colonial Pipeline Incident
The Colonial Pipeline ransomware attack and data breach underscore the importance of implementing good cybersecurity hygiene. A failure to adhere to the tenets of a zero trust security policy left Colonial Pipeline vulnerable to attack by the DarkSide group. Organizations looking to protect themselves against these types of attacks in the future should start moving towards a zero trust architecture today.