Throughout the years, high-profile critical infrastructure attacks have continued to shock the world, including the discovery of Stuxnet in 2010 and the Colonial Pipeline ransomware attack in 2021. But numerous red flags foreshadowed these incidents for years – and sometimes decades – before they occurred.
The Colonial Pipeline attack was preceded by security advisories from the U.S. government for pipeline operators, security research from the threat intelligence industry, and even an audit conducted in 2018 on Colonial Pipeline itself that decried a tangle of poorly connected and secured systems and an overall lack of security awareness at the organization. All of these signals were ignored until it was too late, said Kim Zetter, an investigative journalist who has covered the cybersecurity space for decades, at Black Hat USA this week in Las Vegas.
“Despite a multi-billion dollar security industry and an unprecedented government focus on threats, everyone still seems to be surprised when threat actors pivot to new but often wholly predictable directions,” said Zetter on Thursday. “There are few things that truly blindside us, however. The rest cast signals long before they occur.”
Though it renewed a focus from the U.S. government on public and private collaboration around security, Colonial Pipeline is far from the first significant attack on critical infrastructure made up of operational networks and industrial control systems. More than a decade before, the Stuxnet worm that hit several nuclear facilities in Iran in 2010 was a big step in shining a light on critical infrastructure threats that the security community had largely ignored, instead focusing on IT networks. Stuxnet’s discovery brought several landmark changes across the security landscape. It led to a “trickle down effect” where cybercriminals were able to learn about tools and techniques from the government (as opposed to vice versa) and also heralded the “militarization of cyberspace” and the politicization of security research and defense, effectively linking together cybersecurity with national security, said Zetter.
“There’s a lack of imagination or… anticipation about the next move that hackers will make.”
While Stuxnet marked a tangible critical infrastructure security incident, there have been warnings about critical infrastructure security threats that go back to 1997, when the Marsh commission cautioned the U.S. government of a growing trend toward connecting critical control systems for oil, gas and electricity to the internet. Two years before the Colonial Pipeline attack, Temple University started compiling data on publicly exposed ransomware attacks on critical infrastructure organizations in 2019, and found 400 incidents in 2020 (and later 1,246 incidents between Nov. 13 and June 30, 2022). In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) released a report recommending pipeline operators make a response plan and implement security measures like network segmentation. Despite these various clues, when Colonial Pipeline was hit, the organization shut down its pipeline for nearly a week and paid a ransom. The organization had no CISO when it was attacked (with security duties falling to a Deputy CTO) and appeared not to have an effective plan in place for operating the pipeline manually across its entirety of 5,500 miles, said Zetter. These same warning signs can be seen in other critical infrastructure sectors as well, including clues pointing to election security issues that led up to the 2016 threat actor targeting of voter registration systems, ones before the Oldsmar water utility hack and more.
“What happened with Colonial Pipeline last year was foreseeable, as was the growing threat of ransomware and the problems created by security issues with election machines,” said Zetter. “Russians going after election infrastructure in 2016 – really we should have been asking what took them so long, not being surprised by it.”
The collection of attacks over time on critical infrastructure sectors is indicative of society’s natural instinct to react to threats only after they occur rather than preparing for them, “or ignoring voices of reason that warn of impending problems, only to scramble into action when they occur,” Zetter said.
“There’s a lack of imagination or… anticipation about the next move that hackers will make. This is often the case here,” she said.