We’ve been warning about the dangers of ransomware for years now on Smarter MSP, and this past week the threat hit home for millions of Americans in the form of fuel shortages and higher prices at the gas pump. While the ultimate outcome was largely inconvenience, the Colonial Pipeline hack should serve as a warning of vulnerabilities faced by all of us.

It’s one thing for people to hear about a hacked hospital and some shadowy cabal asking for ransom. That threat seems distant (unless it’s your surgery that has to get postponed). But it’s an entirely different story when a ransomware attack disrupts fuel supplies, instigates panic buying, and causes long lines at the pump.

Gas and groceries are two verticals that Americans interact with at least once a week. With the successful hack on the Colonial Pipeline recently, hackers managed to sow chaos, cause disruption, and flex their muscles all at once.

According to the Washington Post, Colonial Pipeline typically transports 2.5 million barrels of gasoline, jet fuel, and products like kerosene on its Texas-to-New York pipeline every day, making up 45 percent of the East Coast’s fuel supply. But the company had to suspend its pipeline operations for several days because its computer system was hit with a ransomware attack. This resulted in supply shortages, and some gas stations in the southeastern United States were left completely dry after a surge in concerned consumers.

Smarter MSP reached out this week to Christopher Whyte, an assistant professor of homeland security and emergency preparedness at Virginia Commonwealth University, for context on the Colonial Pipeline attack.

Lessons MSPs can learn from Colonial Pipeline attack

Whyte points at two areas to monitor:

“MSPs should always be aware of their client’s IoT footprint, as the growing range of networked devices can pose a challenge for providers when provisioning security services, even where SMBs are utilizing cloud solutions of various kinds,” he says.

The second area Whyte says MSPs should keep on their radar:

“I would encourage both MSPs and SMBs to gain a better understanding of the vulnerabilities of their client base, vendors, and partners. These linkages act as risk modifiers for any security analysis calculation and are often overlooked during planning reviews, red teaming exercises, etc. So an SMB that contracts with a regional power utility, an airport, or a hospital would do well to increasingly treat their partner’s risk profile as an extension of their own,” he advises.

This interconnectedness can create volatility and vulnerabilities. However, Whyte adds that vulnerability shouldn’t be thought of too uni-dimensionally, particularly given the immense number of soft targets. This is especially true if the idea is to improve cyber defenses across entire sectors via effective public-private action.

“I’d say that the targets we should place the most focus on are those that combine the potential for substantial economic disruption and are fraught pathways to recovery. We saw something like this with the NotPetya ransomware attack a few years ago, for instance, where the shipping company Maersk was unable to move trucks and ships even as systems were being restored because manifests were lost and supply chain assets were already a full week out of place,” Whyte recalls.

These kinds of targets in the supply chain, he says, represent not only the most significant opportunities for national disruption from organized criminal or state-sponsored action but also the most compelling circumstances for the payment of large ransoms.

Should companies pay the hackers?

There were conflicting initial reports about whether Colonial did pay the ransom, but most sources now say that the pipeline company paid the hackers, believed to be based in eastern Europe, $5 million dollars to end the attack. However, data was so slow to be restored that Colonial had to work with outside entities to help get back online.

The question of ransom payment has received a lot of research focus in recent years, Whyte states. And the bottom line is that hackers are also “good retailers.” They know how to price to sell. And in the case of a ransomware attack, what they are trying to sell is a ransom payment.

There’s a sweet spot where the money paid is a windfall to the hackers, but worth it for the victim to pay to get rid of the hassle of an attack. The hackers, Whyte says, also invest in easy payment technology for the victim and quick data decryption. Hackers know that time is of the essence.

Ransomware victims in tough spot

Companies like Colonial Pipeline don’t have days to consult with cybersecurity experts and analysts to see if there is a way out of the jam without paying the hackers. Every minute the pipeline was mothballed resulted in lost revenue, so Colonial – and others like them are incentivized to pay up.

“When combined, these factors in most models suggest that it is almost always in the self-interest of a target to pay a ransom, so long as the ransom itself is priced reasonably,” Whyte points out.

Attacks like these underscore the fact that once the damage is done, it is hard to rectify, which further highlights the importance of having preventative measures in place Still, the business self-interest often runs counter to national interests, which creates a dangerous juxtaposition.

“The incentive for companies to pay fails to produce any deterrent effect to future criminal endeavors. This makes for a huge collective action problem in addressing organized cybercrime and will require novel, assertive approaches to incentivization of the market towards better security practices on the part of the government,” Whyte says.

Meanwhile, MSPs need to identify and prioritize “soft target” clients where an attack could have a larger ripple effect. As the Colonial Pipeline attack illustrated, one attack on a relatively obscure player can have far-reaching consequences.

Photo: Kodda / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *