U.S. oil pipeline shut down by ransomware

[Snapshot]

Some of the statements on the attack are contradictory. One version of the story states that the pipeline controls were not impacted; the impact was to the admin systems that process orders, supply direction, and handle billing. That is less concerning to me even though the net result is the same -- not knowing how much of what to send to whom. But that is better that not being able to move fuel.

Other versions state the actual pipeline controls were impacted. That would be very bad, like Stuxnet levels of bad.

I also do not believe that the Russian government is unaware of the target. The Colonial pipeline is a big deal, and anyone taking it down has to realize the impacts. The real question is, "Why did the Russian government authorize/allow this?" For propaganda value, to gauge a response, and/or to make a point with another nation-state?

Agreed there is a big difference security-wise between operational issues and administrative issues. But practically (a) it may take some time and effort to investigate & establish / confirm the distinction, and (b) even if the operational system is not affected if they can't reliably account for what is being transported it may be necessary to shut down anyway, at least until they can build some sort of ad-hoc system to provide the necessary accounting.

I am not an expert in this area, but listening to people that are suggests to me that legacy SCADA systems are unlikely to have adequate security, intrusion detection and monitoring features, and some of these are running on unsupported hardware and software, with institutional knowledge rapidly disappearing. In most cases they were never intended to be connected to any sort of public network, but evolved to this in a haphazard and insecure manner over a period of time, operated by various companies / people, using various technologies, none of which are necessarily focused on security from this type of attack.

I hope Colonial and other operators can regain / retain control of their systems (which they will) and I really hope that something tragic happens to the people that are doing this.

[medmo]

This is a major terrorist for profit attack on the infrastructure of the United States not an IT problem. It's not like the company's IT manager decided to not purchase the next McAfee upgrade. It's a lot more sophisticated. The more the best security software engineers work to develop more secure software the the more the hackers work in defeating it. They both have the same tools. Those that perpetrated this act should be treated as common terrorists. Every one of them should be hunted down, captured of killed by the US. The current weak response by the feds, treating it like an individual company's cyber security problem, will only encourage others to do the same. The penalty for attacking the US infrastructure needs to be swift and severe if we want others to refrain. One of the first major military actions taken by the United States involved ransom. It was fought to protect trade interest by capturing and killing pirates on the Barbary Coast who were commandeering US flagged merchant ships, attempting to extort ransom for the lives of the captured sailors and for payment of tribute to avoid further attacks. After the Barbary Coast War, all US flagged merchant ships were safe in the region.

[Wise_A]

This is a major terrorist for profit attack on the infrastructure of the United States not an IT problem. It's not like the company's IT manager decided to not purchase the next McAfee upgrade. It's a lot more sophisticated. The more the best security software engineers work to develop more secure software the the more the hackers work in defeating it. They both have the same tools. Those that perpetrated this act should be treated as common terrorists. Every one of them should be hunted down, captured of killed by the US.

The flip side to this argument is: "The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

If corporations want people abroad killed without trial, they should follow established practice and pay themselves.

[medmo]

The flip side to this argument is: "The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

If corporations want people abroad killed without trial, they should follow established practice and pay themselves.

That isn’t the flip side. This is a national security crisis. They aren’t ransoming something like further production of Oreo cookies causing some Americans minor inconvenience. It’s a disruption of energy delivery which can be catastrophic. The flip side would be the US nationalizing energy and the power grid. That would be the flip side of having private companies operate while being protected by the US.

“The government should spend tax dollars to conduct extrajudicial murders of people that disrupt business interests."

Yes, agreed, true fact. America has been doing exactly that and protecting American interest since 1798. It’s one of the reasons we have a global military force currently deployed.

[Snapshot]

DarkSide dudes & similar have chosen attacks on Colonial et al as their business model because (a) they have money and might pay (sometimes quietly) and (b) there are basically no consequences of doing this other than _maybe_ some travel sanctions or even indictments that will never be followed by arrests, trials, convictions, incarcerations or anything else.

Unless this changes in a way that causes a reconsideration of targets and consequences the best we can hope for is an ongoing battle between defenders and attackers. Defenders have to win every single time, especially if attackers can try, fail, try again, etc.

I have no inside knowledge of this incident but it seems Colonial (a) realized there is no way to keep this quiet, and/or (b) took an ideological position that doing a quiet payoff is wrong, and instead pressed the big red STOP button, firstly to ensure the safety of their system but also possibly to bring some .gov attention to bear on the situation.

It seems to me the .gov is at least somewhat obliged to protect the business activities under its jurisdiction, but I am not sure how that translates into what can be done especially when attribution and the normal legal process is hampered by distance, (some) anonymity, lack of treaties and protocols, etc.

[blues]

The only good hacker is a ...

[medmo]

It seems to me the .gov is at least somewhat obliged to protect the business activities under its jurisdiction, but I am not sure how that translates into what can be done especially when attribution and the normal legal process is hampered by distance, (some) anonymity, lack of treaties and protocols, etc.

Check out the link showing Instances of Use of United States Armed Forces Abroad, 1798 - 2020:

https://fas.org/sgp/crs/natsec/R42738.pdf

As you scroll through the list note, how many uses of armed forces were for "protecting American interest." This is a list of only the documented and publicly known uses of forces abroad. An energy provider and the power grid are of vital American interest.

Think these DarkSide dudes would try and pull this kind of thing off with an energy company in Israel? I don't believe they would. They are doing it to this energy company, inside of this country, at this very moment in time for a reason.

[Chance]

I also do not believe that the Russian government is unaware of the target.

I think the Russian government not being aware of what was happening is completely plausible. There are so many cyber-ne'er-do-wells operating out of Russia that I doubt self-reporting or any real command-and-control is a thing. And it definitely wouldn't be the first time a ransomware gang exploited a target without giving broader consequences any consideration.

If it turns out that the pipeline's infrastructure was targeted directly, different story. But most of what's being said publicly sounds like it was ransomware gone awry. And as someone mentioned up thread, maybe concern for the pipeline itself is completely tertiary: if all of your systems are down, you don't know who you're supposed to be delivering fuel to, or have any way of accepting payment for fuel, et cetera.

[randyho]

Stopped by the usual place on tonight's commute home to fill up. No gas. Next place had it, but I was surprised.

[Caballoflaco]

Does anybody have petroleum riots on their 2021 bingo cards?

Considering that our guys are burning gas all day long this might be problematic for the company I work for if it drags out too long. And in the immediate future suck for a day or two if there is a short term shortage.