Four Lessons from the Colonial Pipeline Attack for Las Vegas Businesses
4.4 million dollars. No business owner, not even a wealthy casino magnate, wants to lose that kind of money, especially if that loss could have been prevented. $4.4 million is how much the Colonial Pipeline Company paid the Darkside hackers who infiltrated the pipeline’s network with ransomware in May (though this figure does not reflect the company’s total losses from the incident). The attack prompted the company to shut down operations, affecting 45 percent of the Southeast’s fuel supply, driving up fuel costs, and resulting in emergency declarations in multiple states. As the company has restored operations, more details have emerged about what went wrong. And with these details come lessons all businesses should apply to ensure they aren’t the next ransomware victim.
No business or organization is safe
Given that the Colonial Pipeline attack was the single largest attack on critical U.S. infrastructure, the incident has made international headlines and resulted in much reflection among cybersecurity professionals, regulators, and corporations across the globe. The attack illustrated that no company, regardless of industry, is safe from attempts and that every organization must be vigilant against attacks.
In the wake of the attack, some media reports also emphasized that small businesses are not immune from ransomware attacks. In fact, they may be more at risk, as lean staff complements and a lack of in-house cybersecurity expertise can result in significant cybersecurity vulnerabilities. While Las Vegas casinos and hotels may provide enticing targets, cybercriminals will not shy away from smaller targets as long as the potential payout is worth the effort.
Response and business continuity plans are vital
The malware Darkside used in the Colonial Pipeline attack did not shut down pipeline operations. Their efforts affected one facility. However, fearing that other network and plant assets could be compromised, Colonial Pipeline itself shut down operations to mitigate further damage. Despite the downstream effects, doing so was, in all likelihood, the most prudent course of action. The company was able to restore operations using backup data while they dealt with their compromised assets.
The Colonial Pipeline attack is a substantial illustration of why business continuity planning and backup data and recovery plans are so important. While reports have emerged that the company’s lack of cybersecurity planning and preparedness, they were able to reestablish operations using internally backed up data, which proved critical.
In many ransomware attacks, hackers will encrypt assets and then demand a ransom for the decryption key. Paying the ransom is no guarantee that a business will, in fact, receive the decryption key or that it will work, which is why law enforcement agencies discourage companies from doing so. The decryption key Colonial Pipeline received for their ransom was exceedingly slow — so slow that the company could not effectively use it to resume operations.
Companies hit by ransomware attacks can limit their downtime and damage by establishing a clear cyber emergency response plan that delineates decision-making authority, key personnel roles and responsibilities, and protocols for a range of cyber incidents. Central to this plan must be regularly updated backup data and recovery protocols that consistently and frequently back up data and tests back up data offsite and online. When a company can rely on backup data, it won’t need to pay a ransom in the hopes that the attackers will help them restore operations.
Proper security protocols must be followed
Darkside was able to infiltrate Colonial Pipeline’s operational technology (OT) network because the company had not properly segmented it from the company’s IT network. This failure allowed the group to quickly and easily seize and encrypt vital plant assets and steal sensitive data they threatened to publish before making their ransom demand.
Too often, businesses establish security protocols they fail to adhere to overtime. Firewall configurations are changed to increase access to specific users or departments, weakening overall security. Shadow IT installations arise that bypass security protections altogether. And manual patching and antivirus/anti-malware updates are not always performed as consistently as necessary.
These gaps increase a criminal’s chances of penetrating a business’ network. Businesses must eliminate them by restricting access, hardening configurations, and patching and updating as appropriate. In-house staff or managed IT service providers must also secure the backup data and test it frequently to ensure it has not become compromised.
Proactive security measures are critical
The company’s decision to quickly shut down operations was instrumental in its relatively rapid resumption of services. But, given widely reported vulnerabilities in the company’s cybersecurity protocols at the time of the incident, Darkside was able to gain access to both the company’s wireless communication infrastructure and OT network. Reportedly, they did so with a spearphishing attack: an effort to obtain access credentials or other sensitive information by sending emails to employees from a seemingly authentic source.
Colonial Pipeline also illustrates the need for companies to double and triple down on existing and emerging cybersecurity measures. Employees must be trained to identify and report spearphishing and other suspicious online activity. IT departments must be trained and empowered not only to monitor event logs passively but proactively and consistently investigate all anomalies to detect intrusion attempts. The best cybersecurity measure is prevention, and with attacks growing in volume and sophistication, companies need to use emerging methodologies like Managed Detection and Response (MDR) to safeguard their assets.
Enhancing your IT resources to secure your business
No matter your industry or size, your business must be properly prepared to contend with intrusion attempts and cyberattacks. Many businesses, especially small and midsize businesses, lack the in-house expertise today’s cybersecurity threats demand. And no matter whether you’re a small healthcare provider or a big casino, your business could become a target. All it takes is for a successful spearphishing or brute force attack, or a disgruntled former employee to share your access credentials online, for malware to find its way onto your network and yourself at the mercy of cybercriminals.
But if you operate in the Las Vegas area, Network Security Associates can help. For nearly two decades, we’ve provided Las Vegas businesses with the best available options in cybersecurity and data protection solutions. We know many businesses lack the time, staff resources, or both to defend their assets around the clock aggressively. Among other services we provide is our Security Operations Center, which does just that. We identify and investigate all suspicious activity to detect and deal with threats, so you don’t need to make pricey investments in hardware, software, and specialized labor. And we’ll partner with you and your team to provide a comprehensive cybersecurity assessment and develop a roadmap for safeguarding your unique business.
We at Network Security Associates look forward to partnering with you and your team today and helping you prevent the next cyberattack. Contact us today, and let’s get started.