This article is part of the TechXchange: Cybersecurity
What you’ll learn
- Why low-level security may not protect against ransomware.
- How ransomware can bypass firewalls.
- What happens after you pay a ransom.
If you have a non-electric car, then you’re aware that the cost of gasoline has been going up due to the shutdown of the Colonial Pipeline caused by a ransomware attack perpetrated by a criminal organization called DarkSide. We may not know the details of what went wrong. However, it’s easy to guess what happened.
It’s one thing to take over a single PC, but the attack like the one on the Colonial Pipeline is different, and not just because of its magnitude. For a single PC, the attack can come in the form of a corrupted file or email. It’s also possible to attack a PC attached to the internet remotely through bugs in the network software.
An attack on a larger network like the one controlling the pipeline usually starts through a single PC, but the security hole is then exploited by the attacker. Ransomware on a PC will likely notify the user almost immediately. However, an attacker assaulting a larger system will likely remain under the security radar for a long time, maybe months. This allows for examination of the system and creating additional holes in any security so that the attacker can get back in—even if one of those holes, including the original one, are closed.
Once an attacker is inside a system, then it’s a matter of how restricted they might be and what systems they may need to compromise. One potential point of attack for the pipeline would be the supervisory control and data acquisition (SCADA) controls commonly used in this type of environment. These should not be directly accessible via the internet, but even keeping them behind a firewall is insufficient if other computers on the same LAN are compromised.
What is Ransomware?
On the PC, ransomware is often a single application that’s compromising a system. The attack by DarkSide may have started using similar tools. Still, there was a good deal of interactive probing and setup prior to demanding a ransom. To make this attack effective, they had to compromise the system by doing things like encrypting data that’s critical and not available via a backup. The typical recourse for ransomware on a PC is to either wipe the PC and restore from a backup, or install a new system and lose the data that was held for ransom.
The other way to force payment of the ransom is to take over a piece of hardware that’s critical in such a way that it can’t be replaced or reset. This is harder to accomplish but possible in some instances. It also requires significantly more insight into the overall system, whereas encrypting data only needs access to the data and know what is worth encrypting.
A big issue is that most infrastructure systems like the pipeline aren’t taking a zero-trust approach to their control systems. Zero-trust security assumes any communications should not be trusted unless they are authenticated first. Most IoT frameworks and services already take a zero-trust approach, requiring authentication all of the time in addition to using encrypted connections.
The National Cybersecurity Picture
Unfortunately, this isn’t the case for many legacy systems within our national infrastructure. Adding new, more secure devices to the mix will help and beefing up firewalls is a good step forward, but most of the infrastructure in the U.S. is privately owned. Investment into security was at the bottom of the list. The $5 million that Colonial Pipeline paid in cryptocurrency is just the tip of the iceberg. DarkSide indicated that they have more people on the hook with their ransomware attack.
Likewise, paying a ransom may not get the results promised. Colonial Pipeline’s recovery was a combination of restoring from backups and using information provided by DarkSide after the ransom was paid. The latter took more time to implement because restoration wasn’t instantaneous.
Unfortunately, our critical infrastructure includes more than just one pipeline and protections—much of this infrastructure is on par with Colonial Pipeline. Many have been influenced to make changes, but we don’t know how many or how effective these efforts will be in preventing such attacks.
It’s unlikely that we’ve seen the last of these types of attacks or that there are only a few bad actors. The almost daily news about security breaches has been with us for decades. It’s now a question as to whether selling names and info on the dark web will be more profitable than extorting money from large corporations.