Numerous Federal agencies are springing into action in response to the ransomware attack on Colonial Pipeline Company, a major supplier of fuel to the northeastern U.S. that temporarily shut down pipeline operations after disclosing the attack on May 7.
The Federal response effort includes attention from the White House, where Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said today the administration is mounting a “whole-of-government” approach to respond to the hack.
She said the government’s four-step approach includes staying engaged with Colonial, continuing to investigate the incident, convening stakeholders to share information, and taking threats of ransomware seriously.
Neuberger said Colonial has “not asked for cyber support” from the Federal government, but said the government is “standing by” for support if needed.
“We judge that the company said that they have adequate support, and they noted in their public remarks that they’re using a third-party service, that they feel they’re making adequate progress with their own resources,” Neuberger said. “We know we’re standing by, but we’re happy that they are confident in their ability to remediate the incident and rapidly recover to meet the needs of their customers in this current environment.”
Neuberger drew attention to the fact that the FBI confirmed today that DarkSide ransomware is responsible for the hack. DarkSide is “a ransomware as a service variant,” according to Neuberger, in which “criminal affiliates conduct attacks and then share the proceeds with the ransomware developers.” She said the FBI has been investigating DarkSide since October 2020.
“Currently we assess DarkSide is a criminal actor but of course, our intelligence community is looking for any ties to any nation-state actors,” she added. “It’s something that we’re particularly troubled by, and I mentioned as well that the FBI has recently worked with international partners to take down and disrupt ransomware infrastructure. We expect that that will be a continued focus area to make it far more difficult for these actors to prey on their victims.”
Colonial expressed confidence today that it hoped to get its service operations “substantially” restored by the end of this week. “While this situation remains fluid and continues to evolve, the Colonial operations team executing a plan that involves an incremental approach that will facilitate a return to service in a phased approach,” the company said.
Late Sunday, May 9, Colonial said it was in the process of restoring some affected IT systems. On the operational front, Colonial said its four main lines remained offline, while some smaller lateral lines were operational.
In an update today, the company said “segments of our pipeline are being brought back online in a stepwise fashion, in compliance with relevant federal regulations and in close consultation with the Department of Energy, which is leading and coordinating the Federal Government’s response.”
The company emphasized it is working to bring back all systems online “only when we believe it is safe to do so, and in full compliance with the approval of all Federal regulations.”
All-Hands Federal Response
The Georgia-based company, which moves over 2.5 million barrels per day of gasoline, diesel, and jet fuel between the U.S. Gulf Coast and New York, is working with various Federal agencies to resolve the issue, including: the Departments of Energy, Transportation (DOT), Commerce, and Homeland Security (DHS).
DHS’ Cybersecurity and Infrastructure Security Agency (CISA) is engaged with the company and is encouraging other organizations to review the agency’s guidance on ransomware.
“We are engaged with the company and our interagency partners regarding the situation. This underscores the threat ransomware poses to organizations regardless of size or sector,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein said in a statement. “We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”
Commerce Secretary Gina Raimondo on Sunday called the Federal response an “all-hands-on-deck effort.” DOT relaxed restrictions on fuel transportation through an emergency declaration to prevent potential petroleum shortages as a result of the pipeline shutdown.
“As the [Biden] Administration works to mitigate potential disruptions to supply as a result of the Colonial Pipeline incident, [DOT] is taking action today to allow flexibility for truckers in 17 states,” White House Press Secretary Jen Psaki said on May 9.
More broadly, DHS Secretary Alejandro Mayorkas has targeted ransomware for the first of six planned cybersecurity “sprints” by DHS and CISA.
On Capitol Hill, Sen. Ben Sasse, R-Neb., commented on Sunday, “There’s obviously much still to learn about how this attack happened, but we can be sure of two things: This is a play that will be run again, and we’re not adequately prepared.”
“If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors — rather than progressive wish lists masquerading as infrastructure,” the senator said.
“It’s been clear for years that our nation’s cybersecurity hasn’t kept pace with our ever-increasing reliance on digital systems and internet connectivity across all sectors,” said Sen. Mark Warner, D-Va., commenting on the Colonial Pipeline hack. “The result has left us vulnerable to foreign adversaries & cyber-criminals, alike.”
On the House side, Rep. Jim Langevin, D-R.I., said the Colonial Pipeline attack was a “very concerning situation that I’m monitoring closely.” He added, “as the federal agency in charge of our nation’s pipeline security, we need to hear from” the Transportation Security Administration (TSA), which is part of DHS.
Zero Trust Implication
“This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe,” said Andrew Rubin, co-founder and CEO at security provider Illumio.
“It’s an absolute nightmare, and it’s a recurring nightmare,” Rubin said. “Organizations continue to rely and invest entirely on detection as if they can stop all breaches from happening. But this approach misses attacks over and over again. Before the next inevitable breach, the President and Congress need to take action on our broken security model. This begins (but does not end) with the adoption of a Zero Trust strategy.”