Colonial Pipeline Ransomware: An Emerging Trend in ICS Cyberattacks

OTORIOS’ Industrial Cybercrime Impact Q1 2021 Report finds a 200% Increase in Disruptive Industrial Cyber Attacks Compared to Previous Quarter; 71% of Attacks Are Attributed to Ransomware

Unfortunately, the recent ransomware attack on Colonial Pipeline, one of the US' largest pipelines, comes as no surprise to us. Since January, we’ve seen a dramatic rise in the number of attacks that have affected the operations of critical infrastructure sites. Utilities such as water treatment plants, fuel distributors, energy utilities, and hospitals are getting a concerning amount of attention from hackers. 

200% Increase in Disruptive Industrial Cyber Attacks in Q1 2021

In Q1 of 2021, the operations of 14 industrial companies and critical infrastructure sites were disrupted by cyberattacks - more cases than in Q3 and Q4 2020 put together, and a 200% increase compared to Q4 2020. Further to the 2020 rise of cyberattacks targeting industrial companies, in Q1 2021 we’re seeing that as attackers get more experienced, they manage to cause more severe damage.

The fact that the hackers chose ransomware as their attack method to strike the gasoline pipeline operator,  also doesn’t come as a surprise. In 2021, the industrial sector at large is increasingly in the crosshairs of ransomware threat actors. At least 70% of the major attacks that targeted operational networks (OT) in the first quarter of this year were ransomware attacks.

Why? Attackers know very well that operators of critical infrastructure and operational networks can’t afford any downtime. Recovery time from a cyberattack for industrial companies is 17 days on average, with some companies reporting weeks and even months before they are able to return to full production. Even if we use a modest estimate of $250K lost for every day of disruption, we are looking at costs in the millions.

Utilities:  Hacker’s Holy Grail

The new US administration is taking this operational cybersecurity threat very seriously and is expected to soon issue an executive order focused on industrial control systems that operate utilities such as water treatment and energy delivery. This plan comes as a response to recent cyberattacks such as the Colonial Pipeline Ransomware incident, targeting critical utilities around the world. Some of the most concerning recent Industrial cyber-attacks targeting utilities are:

• Brazil Fuel Distributor, Ultrapar - In January 2021, a Brazilian fuel distributor, Ultrapar, halted part of its operations at some subsidiaries due to a cyberattack. It took almost two days to restore the company’s operations.
• Florida Water Treatment - In February, Hackers gained access to the water treatment system of Oldsmar, Florida, and manipulated the water supply’s sodium hydroxide (lye) levels, potentially endangering thousands of lives.
• Indian Power Sector - In February, a targeted campaign conducted by China-linked group RedEcho against the Indian Power Sector was revealed.
• OmniTRAX railroads - In January, OmniTRAX, one of the largest privately-owned railroad companies in the United States, was hit by ransomware. Luckily, the attack didn’t impact the company’s operations.  
• State-Owned Brazilian Energy Utility (Copel) - In February, the energy utility suffered from a cyberattack that caused instability in part of its system.
• Multinational energy company Enel - The Group has been hit by ransomware attacks twice in 2020.

Industrial Cyber-attacks: The Game is Not Over

In today’s volatile cybersecurity climate, the only way for critical infrastructure operations to truly mitigate damage is to prevent it. The question is: How?

The key is to choose a cyber defence approach that combines a traditional reactive approach with a proactive risk reduction approach that fits the operational environment needs.

Proactive actions include pre-breach risk reduction activities including continuous exposure identification and mitigation. Reactive actions include post-breach minimization of disruption to production, relying on quick detection and response.

Most OT security solutions on the market today are focused on the reactive paradigm. The main reason for this is that they were conceived from traditional IT security concepts. These solutions detect and respond to security incidents after they happen. While it is very important to detect and respond quickly, as we can see from the attack on the Colonial Pipeline and other recent attacks on critical infrastructures, the attack is usually detected only after high damage was caused, and when it comes to critical utilities the attack can disrupt and even risk human lives.

Operators that will embrace a proactive approach and take pre-emptive risk reduction measures, will dramatically reduce their probability of falling victim to a cyberattack and will also reduce the potential damage and response time once under attack. When looking at the dramatic rise in disruptive cyberattacks in Q1 2021, it is clear that this effort should be the top priority of any utility safety and cybersecurity stakeholders.

Read more about the 2021 industrial cyberattacks alarming trends in OTORIO’s Industrial Cybercrime Impact Q1 2021 Report. Otorio is the leading industrial cybersecurity company offering digital risk management and OT threat intelligence services.