A few thoughts about the Colonial Pipeline hack

May 10, 2021
  Hackers might have found a security wall that resembled a big piece of Swiss cheese—holes everywhere.

Infosec's Keatron Evans

My thoughts on the Colonial Pipeline hack:

I want to first address the world of ransomware. The more I learn about this incident, the more it sounds like they either paid or are considering paying the ransom.


Not so fast, as organizations paying the ransom happens more commonly than it might seem. There are several occasions where I've even advised it under specific circumstances.

Without knowing more details, we can't even say if Colonial has paid or what special conditions might warrant them paying, but a few things come to mind —like not having good backups, and not having a good response plan in place to deal specifically with ransomware.

Many people don't realize that having a network or device hit with ransomware is the operational equivalent to it losing power and being shut off.

Click the cover to read our Quick-Response Report on the Colonial Pipeline hack.

And when you consider that as it relates to a pipeline operator, those consequences could be catastrophic and immediately have severe economic and public-health impact. I've sat in many rooms and went over these scenarios with national infrastructure and energy providers and the possibilities are terrifying.

So faced with those possibilities of what could happen, I would not be surprised at all to eventually discover that some ransom has been paid. 

These networks that actually run and monitor the pipelines are generally supervisory control and data acquisition (SCADA ) and industrial-control systems (ICS networks). Traditionally these networks have been air-gapped, or physically separated, from any other networks, including the internet.  This led to extreme lags in updates and patching, as the logic was if they're not ever connected to anything, there's no rush to patch or update. Not to mention some of the equipment and protocols in use are often so old that they don't support anti-virus updates, or any other security controls.

Fast forward and those networks now must take advantage of the amazing innovations we we're making in the networks outside those. Largely, decisions were made to join these traditionally air-gapped networks to the technologically advanced corporate networks, which came with great benefits, easier management and the chance to not depend upon outdated, unsupported software and protocols. The SCADA vendors followed suit by updating their hardware to support modern technologies and take advantage of the internet. And when you add updated IoT devices to the mix, you got a perfect storm of great innovation and wide-open attack vectors.

Currently, Colonial has not disclosed whether or not the attackers actually made it to the internal pipeline network, but if they did it's possible they might have found a security wall that resembled a big piece of Swiss cheese—holes everywhere.

They are most likely rightfully being advised to say as little as possible this early, so we will have to wait and see what else comes out in the next week or so. 

Keatron Evans is a principal security researcher at Infosec