The recent double-extortion ransomware attack on Colonial Pipeline has once again brought enterprise ransomware into the spotlight for cyber underwriters and cyber risk aggregation modellers.
What started as an easy-money ransomware attack on one company turned into something far greater. The attackers, known as DarkSide, inadvertently took down 5,500 miles of critical US oil pipeline infrastructure. DarkSide, a financially motivated ransomware-as-a-service gang, apologized for the “social consequences” of the attack.
As of Saturday May 15, after one week of downtime and a $5 million ransom payment, Colonial Pipeline said its systems are back up and running at full capacity. However, before Colonial Pipeline restored its systems, thousands of gas stations ran out of gas as panic buyers rushed to fill up. State governors in Florida, Georgia, North Carolina, and Virginia implemented states of emergency due to gasoline shortages.
The attack underscores the rising need for underwriters to assess basic cyber hygiene alongside threat specific risks such as ransomware for organizations of all sizes across industries. The attack also calls attention to the risk of widespread contingent business interruption (CBI) as a result of cyber attacks, and the attack is an example of accumulation risk due to cyber attacks on single point of failure (SPoF) technologies and companies.
Below, we provide the key details around the Colonial Pipeline attack that matter to (re)insurers. We also look into the top cyber security and (re)insurance takeaways.
Contents:
- What happened in the Colonial Pipeline attack?
- Cyber hygiene and ransomware risk at Colonial Pipeline prior to the attack
- Top three cyber (re)insurance takeaways
- Top three cyber security lessons learned
- What’s next for ransomware and cyber catastrophe modelling?
What happened?
Colonial Pipeline is a company with operations that are key to the economic health of the United States. The company’s pipelines carry gas and other essential fuels, such as jet fuel and even cooking oil, from Texas to the Northeast. Overall, the company delivers roughly 45% of all fuel consumed on the US East Coast, including New York City. Colonial Pipeline also serves airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic.
Colonial’s operations connect to 30 different oil refineries and nearly 300 fuel distribution terminals throughout the United States.
On 7th May 2021, when Colonial Pipeline learned it was hit with a ransomware attack, the company responded by shutting down its entire pipeline operation as a precaution while the impact and technical detail of the attack were investigated further.
The attackers, known as DarkSide, reportedly took nearly 100 gigabytes of data out of Colonial's network in just two hours before encrypting the company’s data and leaving a ransom note threatening to release the company’s data if no payment was made.
Colonial Pipeline acknowledged that attackers had managed to infiltrate the company’s information technology (IT) network. The company “proactively took certain (operational technology or OT) systems offline to contain the threat, which had temporarily halted all pipeline operations”. The attack forced Colonial Pipeline to shut down approximately 5,500 miles of pipeline. The Department of Homeland Security’s cybersecurity agency confirmed that ransomware was the cause of the incident.
The primary impact of the attack is on Colonial Pipeline and its shareholders. The company will suffer losses due to the breach of its data, a $5 million ransom payment, as well as lost revenue due to unexpected downtime for its pipeline operations. Colonial Pipeline could also suffer reputational damage as a result of the attack, especially if the company is found to be negligent in cyber security.
Cyber hygiene and ransomware risk at Colonial Pipeline
Prior to the attack, CyberCube’s single-risk underwriting solution, Account Manager, flagged several high-risk signals for Colonial Pipeline including RDP Open Ports and Malware Infections.
An insurer or reinsurer licensing Account Manager would have been well-positioned to surface high-risk signals that provide an indication of Colonial’s susceptibility to cyber attack.
CyberCube observed high-risk RDP Open Ports on Colonial Pipeline’s network prior to the ransomware attack. RDP stands for Remote Desktop Protocol and is denoted by TCP Port 3389, a Microsoft Protocol that allows a user’s device to remotely connect to another computer. An RDP Port is commonly used as an entry point for a ransomware attack through methods such as brute force attacks to logins, credential stuffing, stolen credential utilization, or other means if a vulnerability exists.
The percentile rank depicted for Colonial Pipeline’s Open RDP Ports denotes the count of Open RDP Ports relative to Colonial’s peers in the same industry. Higher percentiles are better. A rank in the 12th percentile meant that 88% of Colonial’s peers scored better.
CyberCube observed a malware infection on Colonial Pipeline’s network named “trojan.win32.razy.gen”. A Malware Infection is evidence of malware that is found on a company device. The presence of an infection indicates an attacker has a foothold in company infrastructure. Its presence demonstrates that a threat actor was or is still interested in attacking the company. The malware observed on Colonial Pipeline’s network prior to the attack is primarily associated with cryptocurrency mining. However, once launched, it might alter Windows OS settings, drain a computer's CPU, corrupt files, gather personal data, record keystrokes, and even provide remote access.
With a Malware Infection ranking in the 6th percentile, Colonial Pipeline fares among the worst of its peers when it comes to remediating attacker activities and payloads in its network.
CyberCube’s technology dependency database also points to cyber hygiene risks for Colonial Pipeline. In 2021, Colonial Pipeline is using the entire Microsoft suite of products, which likely includes vulnerable Microsoft Exchange servers. We know that in November 2020, Colonial was also running the vulnerable SolarWinds product Orion.
CyberCube also flagged suspicious outbound Internet traffic from Colonial Pipeline in early 2021, related to dark web activity. CyberCube also observed outdated web browsers and use of the vulnerable Microsoft OS Windows 7 at Colonial Pipeline.
Top three (re)insurance takeaways
(Re)insurers can gather at least three key takeaways from the attack. These include:
(1) The importance of assessing contingent business interruption risk
In addition to the impacts that will be felt by Colonial Pipeline and its shareholders, US fuel consumers ranging from individuals with travel plans to corporations that are dependent on fuel also suffered losses. The event calls to attention the increased importance of identifying and calculating companies’ exposure to contingent BI risk due to cyber attacks. For example, airlines that rely on Colonial Pipeline to deliver fuel were at risk of unplanned downtime due to an attack on their key supplier. On the other side of the supply chain, oil producers were feeling the impact of Colonial’s shutdown. According to the Financial Times, the interruption left some Gulf coast refineries without an outlet to offload their oil, forcing them to cut production by up to 500,000 barrels a day.
(2) The importance of assessing accumulation risk for cyber attacks on SPoF
Colonial Pipeline is one type of SPoF. Colonial’s operations connect to 30 different oil refineries and nearly 300 fuel distribution terminals throughout the United States. Thousands of gas stations, consumers, and hundreds of companies including mass-transit hubs such as airports and more, rely on Colonials to deliver fuel. All of this interconnectivity in the US energy supply chain means that when one key supplier like Colonial Pipeline suffers downtime many other entities suffer as a result.
The attack on Colonial Pipeline calls attention to the fact that SPoFs are vulnerable to cyber criminals alongside nation-state sponsored threats. Recent cyber attacks on SPoF including SolarWinds and Microsoft Exchange, were perpetrated by highly sophisticated adversaries operating under the direction of the Russian and Chinese governments, respectively. The Colonial Pipeline attack was perpetrated by a group of organized criminals that likely have tacit approval (but not operational support) from the Russian government. Assessing accumulation risk for cyber attacks against SPoF has never been more important given the increasingly wide range of potential attackers for these targets.
(3) The importance of modelling accumulation risk for oil infrastructure attacks
CyberCube's Portfolio Manager can help (re)insurers assess accumulation risk specifically related to the disruption of a leading mobile offshore oil rig manager. Our realistic disaster scenario is related to the Colonial Pipeline attack in several ways.
Specifically, we can help (re)insurers model an event in which a nation-state threat actor develops malware targeting security flaws in programmable logic controllers (PLCs) used extensively in the control systems of mobile offshore drilling units (MODUs).
Comparing this scenario to the Colonial Pipeline attack we can see that both are cyber attacks causing business interruption impacts to the oil and gas industry. In both, targeted malware is the general cause of the incident. We model an outage time of one or more weeks, and the Colonial pipeline outage lasted approximately one week. Both have expected cost components of lost revenue, detection and escalation costs, additional expenditure and demand surge, and legal liability, etc.
Cyber security lessons learned
A number of key cyber security lessons can be learned from the attack. These include:
(1) Critical infrastructure operators ought to prioritize response
The question is no longer if, but when operators of critical infrastructure will be attacked. These organizations should prioritize incident response planning to account for the growing possibility that they will face a double-extortion ransomware attack. Plans need to include pre-fabricated public statements that equip the company with the ability to notify key stakeholders as quickly as possible after an attack.
(2) Sophisticated threat actors easily bypass perimeter defenses
The Colonial Pipeline attack illustrates that determined threat actors can easily bypass network perimeter defenses with access to common vulnerability exploit tools, and stolen credentials to gain access to legitimate administrator accounts. This reality underscores the increased need for organizations to enlist multi-factor authentication on all Internet-facing accounts and rapid patching of Internet-facing systems.
(3) OT visibility and network segmentation are key defenses
A lack of visibility into the security status of its OT systems is likely to have caused Colonial to shut down operations in the first place. The company had observed an attack on its IT systems and then proactively shut down OT systems. Had the company been equipped to investigate its OT systems with the same level of granularity that it could inspect IT systems, it may have been able to identify and contain the spread of ransomware without having to completely shut down pipeline operations. Additionally, the attack further underscores the need to clearly demarcate IT and OT systems. Despite their physical separation, the two are often intricately connected.
What’s next for ransomware and cyber catastrophe modelling?
While we have yet to see a true accumulation catastrophe event in cybersecurity, the writing is on the wall, and recent attacks like Colonial Pipeline are an indication of what is to come next.
Enterprise ransomware threat actors are targeting SPoF cloud computing technologies. For example, the latest iteration of the DarkSide ransomware that hit Colonial Pipeline includes the ability to target Linux machines including ESXi hypervisor systems specifically. ESXi is a Type-1 hypervisor (aka a “bare-metal” hypervisor) developed by VMware. A hypervisor is a software that runs and manages virtual machines (VMs). Targeting VMs gives attackers a single-point of attack to incentivize max payouts. Note, VMware holds an overwhelming majority of the worldwide virtual machine market share.
It should now be abundantly clear to insurance industry stakeholders that cyber attacks with catastrophic scope (and the potential for catastrophic losses) are possible. In the last six years, there have been incidents that have highlighted that the issue is no longer a theoretical possibility — it’s an urgent concern. In 2021, it will be widely acknowledged that a rigorous and structured approach to cyber risk accumulation management is a prerequisite and a necessity for all (re)insurers.
Only accumulation management programs that can adequately model SPoF, and assess SPoF-related CBI, will be poised to compete in the new cyber threat landscape.