Showcase
For the Research Showcase of a pertinent topic to the course, I have chosen to include a case study and essay pertinent to the themes of the Infrastructure Security & Threats discussed in Modules 4 & 5.
SCADA Systems (Essay)
SCADA System Vulnerabilities
SCADA, known as supervisory control and data acquisition systems, control the processes of industrial control systems (ICS) which manage and operate critical infrastructure of everyday life, such as, “water treatment.. gas pipelines.. airports… and power generation processes” (SCADA Systems – SCADA Systems, 2018). This is done through the collection of data at each individual system by their physical remote terminal units (RTU’s) and programmable logic controllers (PLC’s) which supply a feedback of information to an operator in a digestible Human Machine Interface (HMI). As these technologies control processes vital to daily operations in society, their functionality is of utmost importance to national security. These systems are favorite targets of malicious hackers and nation-state actors who aim to exploit “unauthorized access to software” and “human error” within SCADA system environments to inflict physical damage and destruction. (SCADA Systems – SCADA Systems, 2018)
How are critical infrastructure systems vulnerable?
As previously mentioned, almost all forms of critical infrastructure utilize SCADA systems to help operate their processes. Critical infrastructure entails systems that are vital to ensuring the operation and safety of a country’s population, and are generally considered to be, “electrical grids, public services, and communication systems” (Wright, 2023). These systems have a varying range of potential flaws and exploits that can be taken advantage of if not properly secured. These include, but are not limited to, unauthorized access to a system, malicious software, human error, potential flaws in air gapped networks, weaknesses in the packet control protocol, and that “any person sending packets to a SCADA device is in a position to control it” (SCADA Systems – SCADA Systems, 2018). As a result, the integrity of the data and control of the ICS processes is no longer secure. Furthermore, the aforementioned air gapping of networks can also be exploited by the physical connection to switches or ports which connect to that network at the host site.
How are SCADA Vulnerabilities mitigated?
The vulnerabilities mentioned above are documented by professionals in the field, and a number of techniques have been developed in order to help combat the potential exploitation of SCADA systems. The largest of these being specialized “industrial VPN softwares and firewall solutions for SCADA networks” (SCADA Systems – SCADA Systems, 2018). These help mitigate the vulnerabilities of SCADA networks as they help prevent unauthorized access from outside their environment and additional whitelisting solutions targeting ensuring the integrity of data and applications. Additionally, as the RTUs and PLCs are the origination point of the data being produced by the ICS systems, they work hand in hand with SCADA database systems to verify the integrity of the information produced, thus allowing the operators of the facility to accurately make decisions and operate the critical infrastructure safely.
Conclusion
The importance that critical infrastructure and industrial control systems play in the 21st century cannot be overstated. These systems help to keep society functioning and ensure the safety of the people within the countries in which they operate. As a result of this, they have become a prime target for malicious actors to exploit the wide ranging vulnerabilities they contain, the primary being unauthorized access to the software which controls the systems and access to the segments of the networks in which host these ICS’s. SCADA applications have helped to mitigate successful attacks on critical systems through various techniques and additional defensive technologies are being developed daily to aid this process.
References
SCADA Systems – SCADA Systems. (2018, July 25). SCADA Systems. https://www.scadasystems.net/
Wright, G. (2023, August 29). critical infrastructure. WhatIs.com. https://www.techtarget.com/whatis/definition/critical-infrastructure#:~:text=Critical%20infrastructure%20is%20the%20collection,public%20services%20and%20communication%20systems.
The Colonial Pipeline Ransomware Breach was chosen to exemplify some of the concepts explored in the previous SCADA Systems essay. Although there is no evidence any SCADA systems were directly compromised during this ransomware attack, it still is a showcase for how vulnerable critical infrastructure can be exploited and the consequences that follow.
Case Study – Colonial Pipeline Ransomware Attack
Few cybersecurity breaches can be considered memorable enough that the majority of people who were not directly affected by the incident knew exactly where they were and what they were doing at the time of finding out the news of what transpired. However, the Colonial Pipeline Ransomware attack that occurred in May of 2021 is a key example of such an occurrence that demanded attention worldwide. Hackers belonging to the DarkSide cybercriminal group were able to take advantage of vulnerabilities within a Virtual Private Network (VPN) being utilized by a third-party contractor affiliated with Colonial Pipeline that would then grant them access to their internal systems. This VPN’s configuration contained a critical flaw as multi-factor authentication was not enabled, thus allowing the malicious actors to log into the system by simply having a pair of working credentials and not needing to verify themselves any further. This vulnerability (and potentially others that have been undisclosed or still may be unknown) allowed DarkSide the ability to plant Ransomware on the Colonial Pipeline network which encrypted their files and would indefinitely halt operations unless the groups demand of almost 5 million dollars in Bitcoin was paid out (Turton et al., 2021). The result of Ransomware on the Colonial Pipeline network and subsequent systems had a massive impact on the daily operations of the organization, and even more importantly so on the residents of the East Coast of the United States. As a direct consequence of the breach, all 5,500 miles of the pipeline were immediately shut down, gas prices rose by approximately 0.04 cents along the East Coast, and the requested $4.4 million in ransom payments were paid out by Colonial Pipeline to try and bring their systems back online as soon as possible to mitigate the impact felt by consumers (Vanderzielfultz, 2024). This report will explore the Colonial Pipeline Ransomware Attack of 2021 in-depth to analyze the breach as a whole further to explain how it worked, the technologies used by the DarkSide hacking collective to exploit vulnerabilities in the target system, and most importantly the impact that this one successful breach has had on society as a whole.
Although the Colonial Pipeline Ransomware attack is deemed sophisticated due to its impact, the techniques, exploits, and vulnerabilities involved were nothing extraordinary to the cybersecurity investigators and researchers who performed their post-incident analysis. As mentioned in the introduction, the initial breach began when DarkSide hackers exploited weaknesses in the virtual private network utilized by employees apart from a third-party contractor. It has not been entirely confirmed by the appropriate organizations, however, the attackers involved in the breach are likely believed to have used stolen credentials either from the dark web or acquired through a series of phishing emails. Once this key piece of information was in their possession, they successfully attempted lateral movement inside of the Colonial Pipeline network and privilege escalation to further implant themselves and their capabilities inside of the network, specifically the ability to deploy their ransomware dropper. This involved the process of credential stuffing, using the same aforementioned login credentials in other login portals to gain access to alternative systems, and it can be inferred that the Colonial Pipeline network was not properly segmented as the malicious actors were able to laterally move across it freely (Kerner, 2022). Once they established their foothold inside their systems, Darkside initiated the deployment of their custom ransomware which encrypted the data on all connected systems within the Colonial network, rendering all impacted systems useless unless the decryption key was acquired. This was exemplified best by Colonial no longer being able to track their fuel shipments and access their billing or internal scheduling systems, allowing DarkSide to exfiltrate over 100GB of data belonging to the company (Naughtie, 2021). The decryption key was, however, eventually obtained by the organization via paying the requested ransom payment to DarkSide which cost them a reported 4.4 million dollars or 75 bitcoin at the time of the breach. At the current time of this paper, that 75 bitcoin would be worth well over 7 million dollars, but thankfully for Colonial the Department of Justice was able to recover 63.7 of that Bitcoin ransom payment and return it to the company (Kerner, 2022). This was just the beginning for Colonial, as they were forced to fully shut down their production and operational environments, as well as the pipeline itself to contain the breach and prevent further intrusion into other critical systems. This unfortunate but necessary shutdown not only resulted in fuel shortages for the demographic area in which the pipeline operated but as well as for related industries like aviation and supply chain transportation as Colonial was responsible for 45% of the gasoline and jet fuel production along the east coast.
The DarkSide ransomware group targeted and exploited critical vulnerabilities within the Colonial network and operational information technology system which was the attack vector that prompted their access into their network. These include, but are not limited to, the exploitation of outdated and insecure remote access protocols for accessing the internal network (previously mentioned in terms of the Virtual Private Network used by their third-party contractor), poorly designed network segmentation to prevent movement if a malicious actor were to gain initial access, and overall poor security practices such as not deploying the newest patches to their VPN. The VPN version that was in use was out of date to the point of not even supporting multi-factor authentication, which could have single-handedly prevented the successful initial access point used by DarkSide. Additionally, there was no distinction between the operational system network and the business system network in use by Colonial, meaning that access to one of these networks allowed for direct access to the other. This is devastating when dealing with ransomware specifically, as it was instructed to infect as many devices as possible, meaning that not only the number of systems impacted are much larger than what it should have been, but it tried to creep as deeply as possible to try and encrypt systems nearest their Supervisory Control and Data Acquisition systems (SCADA).
The Colonial Pipeline Ransomware attack emphasizes the critical need for ensuring that proper cybersecurity protocols, training, and security measures are taken to prevent a drastic impact on both national security and the nation’s cybersecurity as a whole from taking place in a repeated similar attack. News of this attack caused widespread panic across the southeastern U.S, leading to panic buying of fuel, gas shortages, an overall increase in gas prices, and anecdotally, the potential to be stranded in certain areas where gas stations were completely out of fuel and unable to coordinate resupplies (Kerner, 2022). As one of the nation’s largest critical infrastructure entities, a similar attack against an equally important aspect of daily life is very much within the balance. Critical infrastructure, such as water filtration plants, energy grids, food supply chains, public health networks, and many more are bountiful targets for malicious hackers, nation-state actors, and Advanced Persistent Threats (APTs) as they are key to keeping daily operations running for millions of citizens, and without them, many Americans would be in a state of panic. The Colonial Pipeline attack specifically has highlighted the risks posed by groups with the capabilities, motivation, and resources to disrupt the national security and daily lives of normal people within any country by their adversaries or rogue organizations. In response to this breach, the federal government has increased the resources allocated and collaboration between pertinent organizations such as the FBI, NSA, Cybersecurity and Infrastructure Security Agency (CISA), and a handful of others to help improve the overall cybersecurity posture of public sector entities.
The Colonial Pipeline Ransomware attack of 2021 should serve as an underlying example of why it is important to abide by best cybersecurity practices and the widespread rooted impact associated with not doing so. By taking advantage of simple exploitable weaknesses such as MFA not being supported and poor network segmentation, the DarkSide hacking group was able to cause massive disruption to the daily lives of millions of Americans by halting fuel supply across the United States in their quest for a payday. This hack affected not only the infrastructure of the U.S. but also its national security directly. Colonial Pipeline, worryingly, could serve as a perfect showcase of how to conduct a similar attack on an adjacent critical infrastructure system with a potentially even more devastating impact. The vulnerabilities, exploits, and technologies exemplified by the Colonial Pipeline Ransomware attack represent an ever-present threat to society, national security, highlighting the necessity of comprehensive cybersecurity strategies, resources, and education across all critical sectors.
References
Turton, W., Riley, & Jacobs, J. (2021, May 13). Bloomberg – Are you a robot? https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
Vanderzielfultz, V. (2024, April 22). 2021 Colonial Pipeline Ransomware Attack – Homeland Security Digital Library. Homeland Security Digital Library. https://www.hsdl.org/c/timeline/2021-colonial-pipeline-ransomware-attack/#:~:text=100%20gigabytes%20of%20data%20stolen,upon%20the%20pipeline%20(Science%20Direct)
Kerner, S. M. (2022, April 26). Colonial Pipeline hack explained: Everything you need to know. WhatIs. https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know
Naughtie, A. (2021, May 11). FBI pins Colonial Pipeline cyberattack on DarkSide hacker group. The Independent. https://www.independent.co.uk/news/world/americas/darkside-hacker-group-pipeline-ransomware-b1844972.html