On May 7, 2021, the FBI was “notified of a network disruption at Colonial Pipeline.” The public later learned, and the FBI confirmed, that this disruption was due to a ransomware attack perpetrated by the Russian-speaking DarkSide ransomware gang, based out of Eastern Europe.
A look into the 2021 Colonial Pipeline ransomware attack
This attack caused oil distribution disruption and an increase in the price of fuel to much of the East Coast of the U.S. It was later disclosed that this breach was made possible via a reused password on a Virtual Private Network (VPN) login lacking multi-factor authentication. This disruption prompted Censys to utilize its Universal Internet Dataset and Attack Surface Management (ASM) platform to determine risk to and exposure of Critical Infrastructure and Key Resources (CIKR) within the oil and gas pipeline industry from an external, attacker perspective. Censys examined not only Colonial Pipeline, but also 10 other leading U.S. oil and gas pipelines.
See Us at Gartner Security & Risk Management Summit
In addition to at least a combined 17 internet-exposed hosts still using end-of-life software at the time, as well as 48 hosts using insecure protocols, Censys discovered over 300 internet-exposed login prompts on hosts owned by these companies, over 80 of which provided access to assets that potentially controlled critical operations including administrative panes, and SCADA devices.
Colonial Pipeline: Assessing the risks one year later
One year later, Censys reassessed these same organizations with our Attack Surface Management platform to see if their Internet exposure had improved.
Insight #1: Attack surfaces grew significantly across all of the organizations.
While not every organization’s attack surface increased, in aggregate, Censys assessed a 232% increase in publicly accessible hosts and an 66% increase of insecure services/protocols running on the total number of hosts. We also observed a 130% increase in expired certificates associated with the group of organizations we analyzed. Expired certificates cause warnings on web browsers which can cause a decrease in visitor traffic; an expired certificate also drops encryption, opening websites up to possible man-in-the middle attacks, allowing attackers to intercept user credentials to website logins.
It should be noted that, over the past year, Censys has spent considerable resources in our ability to discover more hosts by increasing our port scan coverage as well as being able to identify more protocols and fingerprint more software versions. These improvements could impact why the attack surfaces analyzed seem to have grown, however, it should be noted that if Censys was merely able to discover more attack surface that already existed, attack surfaces either generally remained the same or increased. Either way, the main takeaway is that attack surfaces are not static.
An organization’s attack surface is likely to change from week to week, day to day, or even hour to hour. This is especially true as more areas of organizations like marketing and HR are able to leverage cloud resources to increase access to data. As our workforces grow and contract, we can expect our attack surfaces to follow suit, underlining the need for expansive coverage at as near a real-time basis as possible.
Insight #2: Colonial Pipeline seems to have taken impactful steps to reduce its attack surface.
Not only did Colonial Pipeline seemingly streamline its digital operations by reducing its overall attack surface, but they made significant progress in reducing hosts running end-of-life vulnerable software, reducing the amount of certificates using weak ciphers, but – most importantly – they eliminated publicly-facing logins to possible critical assets to zero.
These improvements seem to be the result of Colonial Pipeline’s leadership learning from the mistakes that lead to the ransomware attack, and prioritizing digital security, understanding that publicly-facing digital exposures provide an attack multiplier to threat actors. Such perpetrators can affect the entirety of an organization’s operations via one vulnerable attack vector. This emphasis on digital security is further evidenced by Colonial Pipeline’s appointment of a CISO in February of 2022.
Insight #3: Of the 10 other organizations Censys observed, only one has a full-time CISO.
Additionally, the organization with the least amount of risks at the time Censys published the initial report, now has the most observable risks of the entire group – this organization does not have a CISO. Many expected that, similar to the trend of increased security in the financial sector over the past two decades, a major breach within the oil and gas pipeline industry would motivate others to prioritize security and reduce attack surfaces to minimize chances of a disruptive cyber attack. This does not seem to be the case.
While it is difficult to directly correlate the increase of attack surfaces and risks to the lack of a CISO, it is clear that attack surfaces change over time. And due to the increase of devices not only for the human workforce, but also for operational technology that helps monitor and control critical infrastructure assets, it is safe to say that attack surfaces are increasing.
Prioritization of security for an organization and understanding the scope of one’s attack surface requires a full-time, dedicated position like a CISO with the authority to make technical decisions. But understanding an entire organization’s attack surface on a daily or hourly basis is not possible without an Attack Surface Management platform that scans not only known assets, but also discovers new digital assets coming online at any given time and surfaces related risks for remediation.
Attackers half a world away automate reconnaissance – CISOs for critical infrastructure must leverage workforce multiplying tools like Attack Surface Management platforms to know their risks before adversaries do to avoid future, catastrophic critical infrastructure attacks.
Have questions about Attack Surface Management?
Give Us A Call
Additional contributors to this blog include Censys Technical Account Executive Tyler Crabtree and Product Marketing Manager Kaz Greene.