BLACK HAT USA — Las Vegas — The unprecedented ransomware attack against Colonial Pipeline last year shows that critical infrastructure operators have made little progress in protecting their networks 12 years after the discovery of Stuxnet. Author and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline during the keynote session opening the second day of Black Hat USA, its leaders had plenty of warnings that could have prevented the crippling attack.
Zetter, who has covered many major cyber-incidents over more than two decades, is author of the book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown: 2015). Stuxnet, the malicious worm that security experts discovered at an Iranian uranium enrichment facility in 2010, explicitly targeted the Siemens S7-400 system. The discovery heralded a new generation of targeted attacks, according to Zetter.
“When Stuxnet was discovered in 2010, it shed a light on vulnerabilities and critical infrastructure that few had noticed before,” Zetter said. “The security community largely focused on IT networks. They had previously ignored what are known as operational networks, OT networks, industrial control systems, all of those systems that manage pipelines and railways and the electric grid and water treatment plants and manufacturing, and so many other pivotal industries.”
Stuxnet was more significant for what it portended than any damage resulting from it at the time. Introduced to a network via a USB drive, Stuxnet consists of worming malware, a Windows LNK file designed to propagate it, and a rootkit that hides the malicious files.
The discovery of Stuxnet shouldn’t have come as a surprise back then, but it opened some eyes for the first time, according to Zetter.
“Stuxnet provided stark evidence that physical destruction of critical infrastructure using nothing more than code was possible,” she said. “But no one should have been surprised. There have been warnings about the use of digital weapons to disrupt or destroy critical infrastructure a decade prior to Stuxnet.”
Zetter said the impact of Stuxnet was significant, pointing to four major changes it brought to security: Stuxnet created a trickle-down effect in the form of techniques and tools, kicked off today’s cyber-arms race, established the politicization of security research and cyber-defense, and shed light on the vulnerability of critical infrastructure.
Coinciding with Stuxnet was the discovery of an advanced persistent threat (APT) called Aurora, which exposed the growing capabilities of nation-state hackers, Zetter noted.
“Many of you probably remember this was a widespread espionage campaign by China that hit 34 companies and targeted source code repositories of Google, Adobe, and Juniper,” she said. “And [it] included one of the first significant supply chain operations targeting the RSA C repository, the engine for its multifactor authentication systems.”
Risks Remain High for Industrial Control Systems
The high-profile attack that locked up Colonial Pipeline, which distributes 45% of fuel across the US East Coast, forced it to shut down its 5,500 miles of pipeline until it paid over $4.4 million in ransom. Zetter suggested there is no reason last year’s ransomware attack should have blindsided the company’s top leaders.
“What happened with Colonial Pipeline last year was foreseeable, as was the growing threat of ransomware,” Zetter said. “As the company CEO told lawmakers on Capitol Hill months later, although it did have an emergency response plan, that response plan didn’t include a ransomware attack — even though ransomware attackers had been targeting critical infrastructure since 2015, so the signs were there if Colonial Pipeline had looked.”
Zetter pointed to Critical Infrastructure Ransomware Attacks (CIRA) statistics compiled by Temple University in 2019, just two years before the Colonial Pipeline attack. The researchers counted some 400 ransomware attacks on critical infrastructure in 2020 and 1,246 attacks between Nov. 2013 and July 31, 2022.
“These weren’t just attacks on hospitals, which of course had been a big target for ransomware actors in 2016,” she said. “But these were also targeting oil and gas facilities. And the attackers weren’t just targeting IT systems. They were already going after the OT networks that are controlling the critical processes.”
Further, Zetter noted that in 2020, the year before the Colonial Pipeline attack, Mandiant reported that seven ransomware families had struck organizations that operate industrial control systems since 2017. The attacks created major disruptions and production and delivery delays.
Also in 2020, 10 months before the Colonial Pipeline attack, the Cybersecurity & Infrastructure Security Agency (CISA) issued a reminder of the Department of Homeland Security’s (DHS) Pipeline Cybersecurity Initiative. The effort, created by DHS in 2018, was a joint effort of CISA, the Transportation Security Administration (TSA), and various federal and private sector stakeholders.
Zetter indicated that it is probably not ironic that DHS announced new cybersecurity requirements for those who own and operate critical pipelines two months after the Colonial Pipeline attack. “I don’t mean to beat up on Colonial Pipeline — they’re just a convenient example, because the attack was so significant,” she said. “But other critical infrastructure is in the same position or worse.”