For years, government officials and industry executives have conducted elaborate simulations of a cyberattack targeting the electricity grid or pipelines in the United States, imagining how the country would respond.
But when the real time came, this is not a sham, it didn’t look at all like war games.
The attacker was not a terrorist group or a hostile state like Russia, China or Iran, as had been assumed in the simulations. It was a ring of criminal extortion. The goal was not to disrupt the economy by taking an offline pipeline, but to keep corporate data to the rescue.
The most visible effects (long lines of nervous drivers at gas stations) did not stem from a government response, but from a decision by the victim, Colonial Pipeline, which controls almost half of gasoline, the fuel for aircraft. and diesel flowing along the east coast. off the breakwater. He did so out of concern that malicious software that had infected his back-office functions could make it difficult to bill the fuel supplied along the pipeline or even spread to the pipeline’s operating system.
What happened next was a vivid example of the difference between table simulations and the cascade of consequences that can follow even a relatively unsophisticated attack. The after-effects of the episode are still unfolding, but some of the lessons are already clear and show how far the government and private industry need to go to prevent and deal with cyberattacks and to create copying systems. fast security for when critical infrastructure crashes.
In this case, the long-held belief that gas pipeline operations were completely isolated from data systems shut down by DarkSide, a ransomware band believed to operate in Russia, was shown to be false. And the company’s decision to shut down the pipeline sparked a series of dominoes, including the panic buying at the bombs and a quiet fear of the government that the damage could spread quickly.
A confidential assessment by the Department of Energy and Homeland Security showed that the country could only afford another three to five days with the closure of the Colonial pipeline before buses and other mass transit had to limit operations due to the lack of diesel. Chemical factories and refinery operations would also close because there would be no way to distribute what they produced, according to the report.
And while President Biden’s aides announced efforts to find alternative ways to transport gasoline and aircraft fuel to the east coast, none were immediately in place. There was a shortage of truck drivers and tank wagons for trains.
“All fragility was exposed,” said Dmitry Alperovitch, co-founder of CrowdStrike, a cybersecurity company and now chairman of the think tank Silverado Policy Accelerator. “We learned a lot about what could go wrong. Unfortunately, so did our opponents. “
The list of lessons is long. Colonial, a private company, may have thought it had a waterproof wall of protections, but it broke easily. Even after paying the extortionists nearly $ 5 million in digital currency to recover their data, the company found that the process of decrypting their data and reactivating the pipeline was agonizingly slow, which it means that it will still be days before the East Coast returns to normal.
“This is not like putting on a light switch,” Biden said Thursday, noting that the 5,500-mile pipeline had never been closed before.
For the administration, the event proved to be a dangerous week in crisis management. Biden told aides, one recalled, that nothing could cause political damage faster than television footage of gas lines and rising prices, with the inevitable comparison to Jimmy Carter’s worst moments as president.
Mr Biden feared that unless the pipeline resumed operations, panic would subside and prices would fall, the situation fueled concerns that the economic recovery remains fragile and inflation is rising.
Beyond the rain of actions to move oil on trucks, trains and ships, Biden issued a long-running executive order that, for the first time, seeks to demand changes in cybersecurity.
And he suggested he was willing to take steps the Obama administration hesitated to take during the 2016 election attacks: direct actions to attack the attackers.
“We will also try a measure to disrupt its ability to operate,” said Biden, a line that appeared to imply that the U.S. Cyber Command, the army’s cyber warfare force, was authorized to kick DarkSide out. of the line, much like he did with another ransomware group in the fall before the presidential election.
Hours later, the group’s Internet sites darkened. Earlier on Friday, DarkSide and several other ransomware groups, including Babuk, who has hacked the Washington DC police department, announced they were leaving the game.
Darkside alluded to the disruptive action of an unspecified police agency, although it was unclear whether this was the result of U.S. action or pressure from Russia ahead of the long-awaited summit. Biden with President Vladimir V. Putin. And silence could simply have reflected a ransomware gang decision to thwart retaliation efforts by closing its operations, perhaps temporarily.
The Pentagon’s Cyber Command referred questions to the National Security Council, which declined to comment.
The episode underscored the emergence of a new “combined threat,” which may come from cybercriminals, but is often tolerated and sometimes encouraged by a nation that sees attacks serving its interests. That is why Mr Biden highlighted Russia – not as the culprit, but as the nation that hosts more ransomware groups than any other country.
“We do not believe that the Russian government was involved in this attack, but we do have good reason to believe that the criminals who carried out this attack live in Russia,” Biden said. “We have been in direct communication with Moscow about the imperative that responsible countries take action against these ransomware networks.”
With Darkside’s systems down, it’s unclear how Mr. Biden’s administration would retaliate beyond possible accusations and sanctions, which Russia has not deterred from cybercrime before. Resisting a cyberattack also carries its own risks of climbing.
The administration must also take into account the fact that much of America’s critical infrastructure is owned and operated by the private sector and remains ripe for attacks.
“This attack has exposed our poor resilience,” said Kiersten E. Todt, managing director of the nonprofit Cyber Readiness Institute. “We are rethinking the threat, when we are not yet laying the groundwork to protect our critical infrastructure.”
The good news, according to some officials, was that the Americans received an alarm call. Congress came face to face with the reality that the federal government has no authority to require companies that control more than 80 percent of the country’s critical infrastructure to adopt minimum levels of cybersecurity.
They said the bad news was that American adversaries, not only the superpowers, but also terrorists and cybercriminals, had learned what little was needed to incite chaos across a large part of the country, even if they did not enter. in the core of the power grid. , or operational control systems that move gasoline, water and propane across the country.
Something as basic as a well-designed ransomware attack can do the trick easily, offering a plausible denial to states like Russia, China, and Iran that often take advantage of outsiders to get sensitive cyber operations.
It remains a mystery how Darkside first broke into Colonial’s business network. The private company has said virtually nothing about how the attack unfolded, at least in public. He waited four days before having substantial discussions with the administration, an eternity during a cyberattack.
Cybersecurity experts also point out that Colonial Pipeline should never have stopped its pipeline if it had more confidence in the separation between its commercial network and pipeline operations.
“There should be an absolute separation between data management and real operating technology,” Ms. Todt. “Not doing the basics is downright inexcusable for a company that transports 45 percent of gas to the east coast.”
Other pipeline operators in the United States implement advanced firewalls between their data and their operations that only allow data to flow in one direction, out of the pipeline, and prevent a ransomware attack from spreading.
Colonial Pipeline has not said whether it deployed this level of security to its pipeline. Industry analysts say many critical infrastructure operators say installing these one-way walkways along a 5,500-mile pipeline can be complicated or costly. Others say the cost of deploying these guarantees is even cheaper than the losses from possible downtime.
Raising awareness of ransomware criminals, which have been growing in numbers and brazenness in recent years, will no doubt be more difficult than deterring nations. But this week he made the urgency clear.
“It’s fun and fun to play when we steal money from each other,” said Sue Gordon, a longtime former deputy director of national intelligence and CIA analyst with a specialty in cyber broadcasts. conference held by The Cipher Brief, online newsletter. “When we’re wrapping up a company’s ability to operate, we can’t tolerate it.”