What We Can Learn in the Aftermath of the Colonial Pipeline Hack

On Tuesday, Joseph Blount, the CEO of Colonial Pipeline went before congress to testify regarding the company’s most recent ransomware attack which left 45% of the fuel supply to the East Coast cut off last month. The hack led to a host of issues, including a panic buying and gas shortages in a number of US states. 

The Colonial Pipeline reportedly paid hackers a ransom of $4.4 million in bitcoin soon after discovering the attack on its systems which began May 6th. In addition, the hackers also stole nearly 100 gigabytes of data from Colonial Pipeline and subsequently threatened to leak it in one of the most high-profile ransomware attacks of the last decade.

Remote Access: a Precursor to the Colonial Pipeline Attack

The attack took place after hackers were able to successfully gain entry into the networks of Colonial Pipeline Co. on April 29th via a virtual private network account. Remote VPNs are a popular way for organizational employees to remotely access a company’s computer network. 

While there is still great uncertainty around how exactly the account’s password was obtained and the account in question was no longer in use at the time of the attack, it could still be used to access Colonial’s network. The account’s password was later discovered as part of a batch of leaked passwords on the dark web, which means a Colonial employee may have used the same password on another account that had been previously hacked. 

The Role of Two-Factor Authentication

The biggest mistake of all was that the VPN account didn’t use multifactor authentication, a very basic cybersecurity tool that would have prevented hackers from breaching Colonial’s network in the first place. Two-factor authentication (2FA) allows users to authenticate their identity using two separate authentication methods. But one of the primary flaws of 2FA is that it’s only as strong as the trust its users’ place in it. 

In addition, 2FA data can also be recorded in session cookies. Once a victim adds their 2FA code to a website, a hacker has the ability to sniff session cookies from a developer tool in a web browser. Using the session cookie, hackers have no need for a victim’s username and password –– they simply need to paste the session cookie into a browser to log in to the victim’s account.

The Future of Safeguarding Critical Infrastructure

Stringent Federal Security Policies

At the moment, there are no mandatory federal cybersecurity requirements for US critical infrastructure, and that includes the energy sector. While to date the federal government agencies have issued cybersecurity guidelines for the energy sector, most operations are privately owned and are not obligated to adhere to them. Meanwhile, the new US administration is working hard to push more stringent security policies for critical infrastructure partners, but the move may come too late for some. 

Secure User Authentication

Organizations must treat the latest attack as a wake-up call to end reliance on traditional keys and passwords. The fact is, passwordless authentication methods, such as FIDO2 security keys are now commonly available and provide an unphishable connection between users and IT systems. In addition, these authenticators have less friction compared to traditional Two-Factor Authentication methods.

Adherence to Zero-Trust Policies

Traditionally, security models operate on the assumption that everything inside an organization’s network should be trusted. Legacy architecture provides an additional layer of security with many benefits. A zero trust strategy works to eliminate the most common entry methods for malicious behavior by accepting that errors in coding and architecture are only part of the problem. Human fallibility is just as great. Whether by illegal means or sophisticated phishing, obtaining access to secure systems appears to be becoming increasingly easy for those determined and motivated. This is why for critical infrastructure systems such as the Colonial Pipeline, a zero-trust approach just may be the answer.

Conclusion

Traditional hardware security modules safely store secure keys. The right HSM should be built for sensitive and complex applications and approval flows, such as secure access to critical infrastructure, transfer of assets, code signing, and identity management.

With HUB Security’s Confidential computing HSM platform, organizations can now secure any type of sensitive business flow with end-to-end security. Built for complex enterprise authorization flows and approved for FIPS-Level 3, HUB Security’s mini HSM enables ultra-secure and fully remote access to an on-prem or cloud-based vault which can authorize remote access requests.