Tag Archives: Pipelines

Pipeline Operators Are In the Crosshairs – From Both Regulators and Hackers

The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.

After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.

In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.

The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.

Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.

The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).

Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.

This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.

Are there more attacks that they are not telling us about still?

Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.

Well, that certainly gives me a warm fuzzy feeling.

At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.

For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.

The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.

We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.

If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.

Security News for the Week Ending June 11, 2021

Feds Recover Some of the Colonial Pipeline Ransom

The feds say that they recovered most of the Bitcoin paid as ransom, but because the price of Bitcoin is in a slump, it is only worth about $2 million. The feds say that they acquired the private key to the Bitcoin wallet and transferred 63 Bitcoin out of it. The feds didn’t say how they did that, but the gang that claims to have carried out the attack, DarkSide, said that they lost control of their server (i.e. the hackers were hacked). If that was done by the feds **AND** the private key for the wallet was stored on that server **STUPID**, that would explain it. The good news is that most crooks operational security is horrible. Credit: Bleeping Computer

Colonial Breach Due to Compromised Password, Lack of 2FA

Hackers are not Superman; they tend to use simple attack vectors first. According to Bloomberg, a consultant says that the whole thing went down due to a compromised VPN password that allowed the attacker free reign of the network. On top of that, the account was no longer in use at the time, but still enabled. Finally, the VPN account did not use MFA. So, basic hygiene – MFA and disabling unused accounts – either of which – would likely have avoided the shut down of the fuel supply to the East coast. If I was a lawyer, I would be rubbing my hands in glee. If I was Colonial’s insurance company, I might be sending out a notice that I don’t plan to renew the policy. Credit: Bloomberg

Walmart to Give 700,000 Employees a Free Phone and Walmart App

Walmart plans to provide all of their employees a free Samsung phone so that they can keep tabs on them. Walmart has been sued enough times that they understand that the preloaded Walmart employee app will only work when the employee is clocked in. They don’t want hourly employees doing work things when they are off the clock. This a good thing. While buying 700,000 phones at $500 retail, maybe $300 in in that kind of volume is not cheap, it appears that they are not providing a voice or data plan, meaning that even though they say that you can use that phone for personal use, unless you buy your own voice/data plan, it is really only going to work while you are in a Walmart store while logged into the Walmart WiFi. Walmart says that they won’t spy on you, but that may be easier said than done. For example, they might say that they want to access your contacts so that they can connect you with other employees, but once you give them access to your contacts, they have them. Many employees are saying we would like Walmart to raise our salary instead. Credit: Vice

Biden Revokes Trump EOs Banning AliPay, TikTok, WeChat

A year ago former President Trump issued a series of EOs that were designed to hurt China, but for a variety of reasons, his administration never actually completed the EOs. This week President Biden revoked those failed EOs. The replacement EO does try to address the real problem – protecting the data of Americans. That is a very difficult problem because we really are not addressing the real problem, securing users’ phones and computers. Credit: ZDNet

Another Pipeline Hit By Ransomware – Lost 70 Gig of Data

LineStar Integrity Services was attacked at about the same time as Colonial Pipeline, but they tried to keep the attack quiet. That didn’t work. That is because the hackers posted the gigs of stolen data online. LineStar does not actually move petro; rather it helps those companies remain legally compliant. The data stolen and posted could enable future attacks. Given the rather crappy cybersecurity of the industry, that is likely to happen. Credit: Wired