Textbook cyberattack on US pipeline operator

Recently, the attack by the "Darkside” hacker group on the pipeline operator Colonial in the USA has once again brought the topic of IT security into the spotlight. The attack was covered in mainstream news and caused panic buying as well as petrol shortages on the East Coast of the U.S., and even led to a state of emergency being declared in some U.S. states. This shows that attacks, specifically those targeting companies in the critical infrastructure field, can have enormous impacts on society.

But why are such attacks able to have such impacts in the first place?

When we take a look at what is known about the attack, we can see it really was a textbook attack. First, a small malicious program was introduced - presumably via an infected email or an open security vulnerability - which then infected the company’s network with ransomware. Apparently, antivirus software was in place, but it was still unable to prevent the attack. Unfortunately, these types of attacks occur every day and the lax approach to IT security, or the belief that existing solutions are sufficient, contributes to the fact that many IT departments are actually powerless.

It is important to recognize that complex attacks cannot be defended by ONE measure alone (e.g., just by antivirus software). In risk analysis, the Swiss cheese model is often used to illustrate this:

"The Swiss cheese model compares security levels to slices of cheese placed one behind the other. The holes in cheese, such as Emmental, are an image of the imperfection of security or protective measures in a security system. The cheese holes are the weak points and can unexpectedly change in size and location. When there is an unfavourable combination of many causative factors, individual failures develop into ... catastrophic consequences. In the model, the cheese holes then line up and create the 'opportunity for a trajectory' ... that can overcome all security barriers."
(Source: Wikipedia)

Using an antivirus product as the only measure of protection is thus equivalent to a single slice of cheese. We can only create a strong layer of protection when we use multiple different slices.

The first level of security, or "slice of cheese”, can already be established by the human factor in the initial stage of the chain. For the average office user, phishing emails are not easily recognisable, so ransomware is often unknowingly executed. However, "normal users” can be educated properly to learn to recognise such emails and react accordingly (an example of a risk-based IT security concept starts with the topic of "Security awareness").

The next layer to implement is Vulnerability Management. Vulnerability Management reveals whether any dangers and risks are lurking around, as well as their location. Patching security holes in time is therefore the only way you can be sure you haven't missed any threats.

Given the professionalism of ransomware perpetrators, antivirus is the weakest form of protection imaginable, and is not always reliable. Part of the "quality assurance" for new ransomware is that it should not be detected by antivirus software. In principle, there is nothing wrong with running antivirus software as an additional “slice of cheese". However, highly critical systems in particular require an application control software that treats every unknown application as a risk and only allows the execution of defined and known software.

If all else fails and a ransomware attack occurs despite all preventive measures, an appropriate multi-level back up concept and the use of standard data encryption  will serve as another layer of protection. This is because encrypted data poses no risk in terms of the threat of publication often used by criminals to blackmail their victims. With the appropriate backup concept, which stores many versions of all data in different locations, the affected company can also avoid paying the ransom.

In summary, the measures described are not rocket science. Unfortunately, many companies are still too careless with their data and systems, and invest too little effort to counter the risk of being hacked. This is the real reason why we regularly hear about serious attacks in the news. Companies and those responsible must finally stop accepting the threats, and instead actively seek new measures to prevent such attacks from occurring in the first place.