A crucial U.S. fuel pipeline operator recently announced it had been hit by ransomware, a type of cyberattack in which hackers encrypt important data so their owners cannot access them—unless the owners pay the criminals to unlock the information. Colonial Pipeline, a private company that transports nearly half of the U.S. East Coast’s gasoline and other fuel, had to shut down 5,500 miles of its fuel pipeline as a result. The FBI has blamed the attack on a criminal group called DarkSide.
Unlike ransomware used to kidnap an individual’s computer files, lock up a university’s network or extort a hospital, attacks on major infrastructure such as Colonial Pipeline’s fuel pipeline can have enormous impacts on whole regions of the country. DarkSide’s ransomware “caused a fairly significant disruption to the fuel supply across the East Coast and caused a number of policy interventions and reactions from the administration [of President Joe Biden] about trying to make it easier to transport fuel and mitigate the impacts of that,” says Josephine Wolff, an assistant professor of cybersecurity policy at Tufts University. Scientific American spoke with Wolff about the threat posed by ransomware, how vulnerable the U.S.’s critical infrastructure really is—and what can be done to protect it.
[An edited transcript of the interview follows.]
Are ransomware attacks becoming more frequent?
It’s hard to pin down really good numbers because [there are] a lot of ransomware attacks we don’t hear about publicly. There’s no requirement to report them, most of the time. But the ones we hear about are clearly becoming not just more numerous but also more significant in their impacts. If we think back a couple of years, we had the city of Atlanta, the city of Baltimore, a number of public government-focused attacks that were using ransomware. More recently there’s been a lot of focus on the attacks aimed at hospitals and health care providers. And looming in the background, though we’ve seen fewer examples of it, has been the threat of attacks like this: targeting critical infrastructure that would significantly disrupt operations and daily life.
Other than pipelines, what other types of infrastructure are at risk?
The typical example that people use is the electric grid. What happens if somebody is able to prevent the provision of electricity across some part of the country? The Colonial Pipeline shutdown, though it’s not exactly that, fits into that nightmare scenario of “What do we do if we lose control over our power infrastructure?” But it’s true across a number of critical infrastructure sectors. What happens if a large part of the banking infrastructure is shut down or impossible to access? What happens if the subway system in a major city is compromised, and it’s impossible to schedule trains or operate transportation? Up until this point, mostly, we’ve just been imagining these scenarios. There have been a few high-profile examples of the power sector being targeted, but this is still a fairly rare occurrence—and, for that reason, quite striking.
Are these systems adequately protected?
The general answer is that probably nothing in our energy sector is being adequately protected. It’s a sector with an enormous number of legacy systems and complicated infrastructure, and it’s a sector that always has to be up and running. So it’s not easy to say, “We’re going to take a week or a month or a year and completely revamp everything and update all the systems.”
How can these potential targets better defend themselves?
They should be, first of all, really trying to lock down their perimeter defenses—which is to say all of the security controls that they use to try and prevent malware from being delivered to their computers in the first place. That could be things such as two-factor authentication, e-mail warnings for external mail, and screening of new USB drives or other devices that are plugged into your system. I think there should be a lot of controls (especially right now, at a moment when a lot of people are working from home) around remote access—the computers that are connecting to your system from outside your offices.
A big [defense] is what we would call network segmentation: making sure that if one piece of a company’s infrastructure is compromised and targeted, it’s very, very difficult to spread that malware across the larger network. One of the things that is pretty striking about this story is that the Colonial Pipeline has shut down more than 5,000 miles of pipeline. That, to me, suggests either that a very large swath of its system has been compromised or that [the company is] worried that it very easily could be. Ideally, you would not have that large an impact from one initial compromise.
Another piece is thinking about how you get systems back up and running very quickly, because when you’re dealing with critical infrastructure, you don’t have a lot of time to take everything off-line. There’s a lot of rapid decision-making that needs to happen. There’s a lot to be said for trying to run some test drills and making sure that there’s a really clear plan in place for a situation like this. I also think that’s part of discouraging ransoms—to make people feel like “We’ve trained for this; we know what to do,” as opposed to “We’ve never seen anything like this. I guess we have to pay.”
Beyond individual systems, what should the government do to help?
I would like to see a much more forceful prohibition on the payment of most ransoms. That’s my opinion; that’s not everybody’s opinion. But what is it that the U.S. government can do unilaterally? Trying to make this a less profitable endeavor, long term, is one of the most effective measures that we could try to implement. [Cracking] down on how easily those ransoms are paid, how easily they’re covered by insurers, I think, could make a big difference in terms of how much money these criminals can make—and therefore how many of them are entering the business and using this as a way to profit.
What do we know about these criminals? Just how profitable is the ransomware industry?
We know it’s profitable because we know people continue to do it, and that’s actually the strongest indication we have that people are continuing to make money. But exactly how much money they’re making is very hard to estimate meaningfully. The group that the Colonial Pipeline ransomware has been attributed to is a criminal organization that is very focused on ransomware as a service—making ransomware tools and code available to customers to direct their own attacks. That matters because this organization, DarkSide, is building this business not just as a way to target companies but also as a way to make it easier for other criminals. That—again, without having hard data—speaks a little bit to the scale of this problem.
Would we have more hard data if victims were required to report ransomware attacks?
Having a reporting requirement would, at the very least, help us get a better handle on the size and scale of the problem. When we make these statements like “Ransomware is on the rise” or “2021 is the worst year for ransomware yet,” we would actually have some harder data behind those kinds of generalizations. But I also think it would give us a lot more insight into: What are the criminals’ profit margins? Who’s paying them? How much is being paid? How do we make ransomware a less profitable endeavor?