Skip to main content
All BlogsCyber NewsZero Trust

Ransomware Attack on Colonial Pipeline Highlights Need for Zero Trust

By May 13, 2021 No Comments

Colonial-Tanks This past week, the Colonial Pipeline Company became the latest victim of a ransomware attack, forcing it to halt operations across its more than 5,500 mile pipeline – critical infrastructure responsible for transporting gasoline and other fuels from the Gulf Coast to the New York Metro area. Since the attack last Friday, the FBI has confirmed that DarkSide ransomware was behind the compromise. Colonial was forced to shut down their pipeline operations while they conducted an investigation and stabilized their environment. The cost in downtime may stretch into the billions in addition to the widespread ramifications that are rippling across industries. 

DarkSide, the malicious hacking group responsible for the attack, infiltrates organizations’ network environments using ransomware. Once introduced to an internal network, the ransomware makes quick work to encrypt and exfiltrate data––threatening to destroy or publicize internal records if a specified ransom is not paid. In this instance, DarkSide compromised Colonial Pipeline’s IT systems, forcing the company to halt operations to contain the ransomware and prevent a spread into the OT systems, such as flow computers, which automate the operation of the pipelines themselves. 

The incident serves as a key example of the importance of deploying zero trust cybersecurity in today’s real-world operations. Using zero trust, granular security policies are defined and enforced, ensuring that all interactions are authenticated and authorized for every user, application, and machine. 

With zero trust’s granular control, rigorous security enforcement continues even in the event that hackers get onto a corporate or operational network. 

Hackers will inevitably breach corporate and operational networks from time to time, whether via external websites, connections to suppliers, customers and partners, or accidentally via employees. More recently, they’re targeting vulnerable protocols with malware to penetrate internal networks. As exemplified in recent attacks, TeamViewer (Oldsmar), RDP (400% increase in the last year), VNC, and Modbus, among others, are extremely vulnerable to malware-infected devices, and such protocols should never be exposed outside of OT environments. Rather, it’s important organizations utilize proxied Transport Layer Security (TLS) sessions to ensure that unsecured protocols and their vulnerabilities cannot serve as attack vectors. 

Sophisticated hacker groups like DarkSide have proven their toolsets effective at getting inside their targets. When they strike, it’s crucial that organizations can rely on zero trust security to immediately block and isolate rogue behaviour in order to continue operations and prevent disruption. 

Unlike traditional techniques, under which an attacker can search broadly for and exploit cyber weaknesses upon gaining access inside a network segment perimeter, zero trust treats the identity of each machine, application, user, and data stream as its own independent “perimeter,” allowing fine-grained access policy enforcement. Particularly in distributed industrial environments, this identity-based approach ensures that the actions of users, applications, and machines are verified and specifically authorized before being permitted. In the case of Colonial Pipeline, the ransomware would have been blocked from traversing into OT systems, preventing contamination from IT to OT. Rather than halting operations completely, it would have been possible to identify, investigate, and stabilize the matter – all without ever interrupting pipeline operations. But instead, a single point of entry provided an open landscape for the ransomware to pervade the network, forcing precautionary downtime as well as subsequent supply shortages and interindustry repercussions. 

“Improvements to the cybersecurity of our critical infrastructure are long overdue,” said CEO Duncan Greatwood. “With the onset of the pandemic, we’ve witnessed a surge in increasingly sophisticated attacks. By taking an equally innovative approach to cybersecurity – one that leverages the strict properties of zero trust security – organizations can retain granular control over access to devices and applications, and eliminate single points of attack.”

To learn more about how industrial operations can deploy zero trust remote access, now available via the cloud, visit https://xage.com/products/zero-trust-remote-access-solution/.