Colonial Pipeline And Why We Don’t Mix Systems That Carry Different Risks

If you live on the East Coast of the US tonight, you’re paying the price for a poorly designed computer network.

Think not?

Go out and try to buy gas tomorrow. You’ll have lots of company as panic buying has already set in.

Colonial Pipeline is a Georgia-based pipeline operator with 5500 miles of pipelines that stretch from Texas to New Jersey. They deliver 100M gallons of refined petroleum products every day to the eastern seaboard which is 45% of the gasoline, diesel, heating oil and JetA used there. Given that most fuel operations use JIT production and delivery, even being offline for a week can shut down travel and heat in two dozen states.

Less than a week ago, Colonial Pipeline was hit by a ransomware attack from a Russian hacker group named Darkside.

A ransomware attack is pretty straight forward: use a phishing attack to get someone inside the organization to click on a link or visit an infected website. That link brings down the exploit code to infect the computer and then the attackers work laterally out from there. By the time the victim knows anything is wrong, their data is encrypted and they have received a ransom note.

It’s pretty simple really: bitcoin for your data.

So, how did we get from a garden variety ransomware play to the panic buying of gasoline?

Very simply because we design systems where we mix high risk systems with low risk systems. I mean look in your own life:

Is the entertainment system in your car low risk or high risk?

Is the network-enabled refrigerator in your kitchen low risk or high risk?

Are the autonomous driving systems of your car low risk or high risk?

Is your printer low risk or high risk?

Is your network-enabled security system low risk or high risk?

The answer is: they’re all high risk.

You see, in a technical sense, there aren’t any low risk systems. But, that’s not how we think. We see the printer as low risk because, really, what can someone do with a printer?

Except, that your printer is connected to your home network and your home network trusts it. If I get inside the printer firmware, say during an update, then I’m inside your network. Same goes for that new Internet-enabled refrigerator.

And what about your car entertainment system, low risk or high?

Actually, because your car’s entertainment system shares the same CAN bus as the part of your car that’s responsible for driving you from point A to point B, it’s just as high a risk as the autonomous systems of the car. We just don’t look at it that way.

But, we should.

Everything, and I mean everything, that you have connected to a high risk system shares the same risk profile as that system no matter what each system does. The printer is just as high a risk as your security cameras. Your security cameras are just as high a risk as your cell phone (which also has cameras and a microphone) and your laptop which has your tax files, a camera and a microphone.

When I penetrate a system, I don’t look for the most secure parts of the network. I look for the least secure parts that are connected to the part I care about. As Sun Tzu would say, “To defeat what is strong, attack what is weak.

These low risk parts of the system are the ones we forget about precisely because they are considered low risk. But if I can compromise your refrigerator’s built-in computer, I can use that as a jumping off point into the cell phone that you use as a bedside alarm clock.

What can I listen to at that point?

What can I see?

I know what you’re thinking. This is science fiction.

But, it’s not.

The Stagefright exploits in 2015 allowed attackers to penetrate Android phones just by sending a MMS (Multimedia Messaging Service) message to a vulnerable phone. In this case, the user didn’t even have to do anything and the phone was compromised.

The DirtyCOW exploit lay undiscovered for nearly a decade allowed unprivileged users to get root access on Linux with very little effort. Anything running Linux, from a laptop to a raspberry PI to your refrigerator to your security system, could be easily compromised. We know that it was exploited, just not how often and who used it.

And Windows has never been safe.

Then there’s WannaCry, Petya, Shamoon, Stuxnet, Spectre, Meltdown, Carbanak, Popcorn Time, Simple Locker, Storm Worm, Energetic Bear, Conflicker, ShadowHammer. And those are just a few of the software hacks. Hardware hacks are a completely different beast.

By infecting the firmware of your printer with software I paid $100 for on the Dark Web, I’m now inside your network looking at your files and sending them on to me.

By penetrating your car’s entertainment system which has lousy security and is connected to the Internet through OnStar, I can jump off into the computer that controls the brakes, accelerator and steering wheel. At that point, I control the vehicle, not you.

So what does this have to do with ransomware at a pipeline company?

The ransomware at Colonial was targeted at the business side of the company not the pipeline operations side. The reason that the pipeline was shut down was because the two are interconnected.

By comparison, the pipeline operations systems are the most critical systems. The business systems, by comparison, are the lowest. We can survive with accounts payable being off line but if the pipeline controllers are destroyed or the pumps are over pressured destroying the pipeline we have a disaster.

And even though the skills set for pulling off a ransomware attack are very different than those needed to sabotage the control systems of an industrial complex, the ransomware penetration also works as a jumping off point for attackers who do have those skills.

Had the systems been completely air-gapped with the production control systems being isolated from the Internet and any other networks the business had, shutting down the pipeline would not have been necessary.

But, they weren’t. And now we have a mess.

The real lesson from the Colonial attack is that when we mix low risk systems with high risk systems, the low risk systems inherit the risk profile of the highest risk system they interact with.

When you view the system as a whole, there is no such thing as high and low risk systems. If they can talk to each other, treat them as one system with one security risk level – that of the highest risk system.

And that includes your refrigerator running an old, unpatched copy of Windows XP that is on the same network as the cell phone you keep by your bedside as an alarm clock.