Ransomware Prioritize Prevention Then Pursue Prosecution – Part 1

 

Noted Internet Security Expert, B. Franklin
Interesting Fact: 
Colonial Pipeline Earlier Management Ignored His Advice

Alex Younger, former head of the Secret Intelligence Service, penned an opinion piece in Saturday’s FT Ransomware attacks have to be stopped — here’s how.

Some 898 words long. Lots of good advice and interesting points.

However, he had but these 37 words (4%) on what I consider to be one of the key steps to resolving the problem.

It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.

The last sentence “names the issue exactly”.

I think this is the major problem.

By way of analogy, let’s assume a town where no one locks their doors, where people leave valuables in plain sight, where it’s common to leave the keys to one’s Maybach in the ignition, and the car in the driveway..

Now we could crackdown on those who buy stolen goods even those in other cities.

We could station a policeman by each house to keep guard.

Or, we could get as many citizens as possible to lock their doors and secure their property.

What this latter step hopefully would do is lessen the opportunity for crime.

And the amount of crime that takes place.

It also lessens the number vulnerable targets that one has to guard.

If we can take the above steps, then resources can be more focused.

Also and perhaps more importantly, with national security issues, one would I hope prefer to prevent an attack over  a successful response to the attack.

Is this the case with ransomware? That doors are unlocked, valuables unsecured?

First, some macro examples from an earlier post.

Two quotes from the FT. Italics mine.

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

The above points are estimates not facts.

But it should be not only an “overdue wake up call” but also a “sobering fact” even if these are overestimates by a factor of two.

The companies making these estimates are companies selling security products and so may have a profit dog in the fight.

So let’s turn to recent comments by US Secretary of Energy. She is reported to have said that “hackers” could shut down the US energy grid.

Second, some individual examples.

Colonial Pipeline was penetrated through a VPN which was “not intended to be used” but not turned off. That system had single factor authentication.

In February 2020, CISA (Cybersecurity and Infrastructure Security Agency) published an alert on a ransomware attack on an unnamed US pipeline.

That alert mentions some of the same security failures as with Colonial Pipeline.

Lessons learned?

Wake-up calls unanswered?

Sobering facts insufficiently “sobering” to overcome the state of intoxication?

As well, you will note that many of the other failures mentioned in that alert are “basic cybersecurity”. The PC equivalent of locking doors, securing valuables, etc.

You will see this pattern of “rookie” mistakes in many of their alerts

Another study that ranks cybersecurity by country seems to confirm the above.

The US ranks 46^th out of 75 countries.

Some caveats:

1. This isn’t an apples to apples comparison. Rather it is an overall ranking across a broad gauge of metrics not just for ransomware. It includes attack attempts, infection rates on personal devices, etc.

2. But despite that drawback it does highlight the Willy Sutton Principle: One would expect the USA to be of more interest to hackers than many of the other countries on the list. And so more targeted. And so more in need of defense.

In Part 2, we’ll look at some other issues, not all of which relate directly to Mr. Younger's opinion piece.

Colonial Pipeline CEO’s 8 June Testimony -- Annotated

 

No Need for an Extensive Hunt
Just Read Below

On June 8^th Joseph E. Blount, Jr., President and CEO of Colonial Pipeline testified before the US Senate Committee on Homeland Security and Governmental Affairs.

I have annotated quotes from his prepared statement before the Committee to provide further context and set the stage for a following post on the Committee’s reaction.

Quote 1

Colonial Pipeline is cognizant of the important role we play as critical infrastructure. We recognize our significance to the economic and national security of the United States and know that disruptions in our operations can have serious consequences.

That certainly sounds promising, Colonial acknowledges its “significance to the economic and national security of the United States”.

Based on that we can expect a description of the robust measures that Colonial took to prevent hacking and ransomware attacks.

Quote 2

I recognize that the attackers were able to access our systems. While that never should have happened, it is a sobering fact that we cannot change. 

Indeed it should never have happened.

It is as well a “sobering fact”.

While great philosophers have debated whether a “sobering fact” is more urgent than a “wake-up call”, I think it’s safe to say that they largely agree that for a fact to be “sobering” one must not have been a “sober” state prior thereto.

Quote 3

We take our role in the United States infrastructure system very seriously.

With a previously reported 30%+ net profit margin, very seriously no doubt.

That aside, I guess we’re about to hear about Colonial’s robust preventive measures and the millions spent on cybersecurity.

I’d note that I take my role as a parent very seriously with respect to the safety of my children while traveling in our car.

That means of course that the Prince of Wails is secured in a baby seat and the two other little ones are buckled in before we embark.

Madame Arqala generally rides “shotgun” in these cases. 

And makes ample use of the “phantom” brake and periodic verbal warnings to moderate any perceived excesses in my speed.

Note that those steps are undertaken before not after a crash.

So you’re probably as excited as I am to hear from Joe.

Quote 4

Colonial Pipeline is an accountable organization, and that starts with taking proactive steps to prevent an attack like this from happening again.

It seems that CP’s “accountability” is focused on the future. 

They're looking "forward not backward."

Unspoken is the extent of accountability for pro-actively securing the stable gate before the horses bolt.

That can’t be quite right after all Joe of his statements so far about Colonial’s attitude to protecting critical infrastructure.

There’s got to be more to come.

Quote 5

Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.

Ah, the answer.

When you hear the word “legacy”, you immediately know that its not current management’s failure. 

It’s like the fraternity or college that has to accept an applicant because he’s a “legacy”. Neither can be blamed if the “legacy” doesn’t work out.

Or “legacy” can also mean something unwanted that you inherited, like your Aunt Stella’s collection of glass figurines. Just stick them in a box and forget about them.

With a name like “Colonial” you might well expect that John Murray, Fourth Earl of Dunmore, George Washington, or Alexander Hamilton probably set up the VPN.

Before you rush to blame any of them, let me remind you that internet security was not as advanced then as it is now. 

Also we learn that the system “was not intended” for use.

But it certainly seems that it was  “left on”.

So Colonial’s management is filled with good intentions among other things.

I guess in some quarters that counts for more than “effective actions”.

But that doesn’t mean that Colonial isn’t taking action now.

Quote 6

We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise. We also recently engaged Dragos’ Rob Lee, one of the world’s leading industrial and critical infrastructure and OT security specialists to work alongside Mandiant and assist with the strengthening of our other cyber defenses. We have also retained John Strand from Black Hills Information Security, another leader in the cybersecurity space, who will provide additional support to strengthen our cybersecurity program.

Clearly quite a bit work is being done now—that is to remind you after the hack.

Can we infer from the long list of remedial items that there were widespread and serious security weaknesses pre-hack?

It sure sounds like it.

With this as backdrop, you probably expect that Joe is about to get a quite grilling from the Senators on the Committee.

Let me remind you that “expectations” just like “intentions” don’t always deliver the wished for results.

Once the transcript of the hearing is published we’ll take a closer look.

FT Exposes the “Dirty Secrets” on Infrastructure Cybersecurity

By Day Keeps the Free Market Working
By Night Redeems Children's Teeth for Cash

In this weekend’s FT Myles McCormick and Hannah Murphy wrote: “Pipeline ransom attack exposes vulnerability of American infrastructure to cyber threats”

At first glance this seemed to be “Sun rises in the East, sets in the West” article as the vulnerability of American infrastructure to cyber threats has been repeatedly “exposed”.

The Colonial Pipeline incident is not the first cyberattack rodeo in the USA as the authors note:

Since 2019, US critical infrastructure targets have suffered about 700 ransomware attacks, including 100 this year, according to data from Temple University in Philadelphia.

As I read on, it seemed more properly that the article exposed two key reasons why incidents like these occur and, thus, why infrastructure is insecure. 

Key reasons outlined below in bold. Quotes from the article in the list below each “point”.

Woefully and Criminally Unprepared

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

Governments have responsibility for being asleep at the switch on regulation. 

Though as Milton Friedman would tell you, if he could, there is no need for government regulation as the “Free” Market solves problems like this all on its own.

It’s all about the Benjamins.

1. But reconfiguring traditional security systems to account for the ever-changing nature of cyber threats is costly.

2. Pipeline infrastructure is largely operated by private capital, so there is often a drive to cut costs where possible.

Or, in small words, private companies avoid spending the money. 

As evidenced in the first point above, an estimated 75% of infrastructure operators. 

So it’s not the case of a few cases proving the rule about the magical prowess of the “Free” Market correct.  

But rather the overwhelming majority proving Dr. Friedman "dead" wrong.

Two further thoughts.

When the going gets tough, our national rough and tumble highly competitive private companies go running to Uncle Sugar for a handout.

1. You know them. They’re the guys who complain about welfare and how $300 a week unemployment benefits “sap the willingness of the precariat to work”.

2. While extolling how the “free” market delivers the best solutions to problems.

3. Now I’m not adverse to giving aid to those who are truly struggling.

4. Colonial Pipeline’s 2018 FYE audited report shows net profit of some US$ 470 million on total revenues of US $ 1,397 million (a very nice 33.7% net margin) and interim financials for 1Q2019 US$ 137 million in net profit (36% net margin).

5. It’s not possible to calculate a return on equity as CP has negative equity. Perhaps, due in part to a generous dividend program coupled with an earlier decapitalization (Treasury stock purchases in prior years). CP paid US $670 million dividends in 2018!

6. In light of those statistics, I think Uncle Sugar shouldn’t give them more than $299 a week lest we encourage them to slack off.

7. As you’ll note from the dearth of public information on its financials after 1Q19, CP is pretty good with keeping their financial information secure. So it’s pretty clear where their security focus is.

As to the problem being “old operational technology systems, some of which predate the internet,” having “outdated security and being difficult to upgrade”.

1. Old operational systems which predate the internet probably aren’t connected to the internet.

2. Thus, it would seem less likely to be vulnerable to hacking and capture unless miscreants were on the premises to infiltrate PLCs.

3. Analogy: If you only send snail mail, it’s unlikely that hackers are reading your correspondence.

4. In some cases if your “internet” technology or programs are “old” enough, they may be extremely difficult to hack/capture.

This is not intended as a recommendation for a Luddite return to manual or outdated systems. But rather as a counter to the “old systems” defense.

It is to repeat myself “all about the Benjamins”. 

It is a "tried and true" method to motivate folks who focus on money by "threatening" them with large fines and loss of their license to conduct business.

Profoundly Disturbing FT Article on Bitcoin and the Environment

Asleep at the Switch

 

Katie Martin and Billy Nauman had an extremely scary article in the FT on Friday 21 May.

While the main point of the article was about the amount of energy used to mine Bitcoin and its impact on the environment, it was this quote that sent the real chill down my spine. 

Tesla chief executive Elon Musk has highlighted the environmental impact of cryptocurrencies. Amid calls from climate activists for tighter rules, governments and central banks are starting to take notice.

So what the FT seem to be saying is that absent the Technoking’s statement and that of “climate activists” –who by the way have been ignored for years--, governments and central banks would still not have “taken notice”.

Thus, our fate apparently depends on the random tweets of celebrity businessmen, including one who actually thinks cryptocurrencies are investable assets and whose statements have a volatility mirroring that of Bitcoin. 

Did I mention that he has an (indirect) economic interest in a portfolio of some US $1.5 billion (cost) in Bitcoin?

Just the sort of chap one would go to for wise counsel.

What a damning statement on several levels about the official entities whose remit is, as we are told, to look out for us!

Unclear as to whether we should ascribe this sorry state to attitude or aptitude.

Or perhaps more likely to both.

This is not the only example of such behavior.

We’ve seen another just this week.

After the ransomware attack on Colonial Pipeline, the US House of Representatives “sprang” into action. Given the prior somnolence, it must have been quite a “leap”. Olympic at least.

The House Homeland Security Committee—as aptly and ironically named as the House Select Committee on Intelligence—apparently just discovered that cyberattacks and hacking pose a national security threat. 

It has in the words of the Committee’s Chairman brought a “new urgency to our work”.

Given repeated past cyberattack incidents and a manifest failure to act, it may be appropriate to remove the word “new” from the Chairman’s statement.

Otherwise, the unwary reader might be tempted to think that there was some urgency in the past.

Having made this criticism, if you’re the faithful reader of this blog, you know that I try to be fair.

I should, therefore, acknowledge Congress’s achievement in reducing pollution through the prevention of the burning of the USA flag. Achieved without a constitutional amendment or even legislation!

And I think we can be almost certain they will “stand tall” to prevent plant-based substitutes for the hamburger and beer.

So, perhaps, all is not lost.

Just most.

Colonial Pipeline: Why Do Cyber Attacks Keep Succeeding? Answer in Picture Below

 

The news media is full of reports on the Colonial Pipeline ransomware attack. 

This isn't the first case of cybersecurity failure by a business. 

Sadly it's not likely to be the last until something is done.

Why do events like this happen?

The simple answer is that companies fail to take the necessary steps to protect critical infrastructure despite warnings.

Here’s a February 2020 alert from the US’s Cybersecurity and Infrastructure Security Agency to pipeline operators.

That warning describes:

1. the nature of the attack, tools used -- apparently an “off the rack” hacking program

2. the results of the attack

3. 19 mitigation steps -- many of which are "common sense" 

The unnamed company in this case, did not think that its BCP need include cybersecurity.

If you look at the attack results, you’ll see that the vulnerability was Microsoft software.

As my elder and wiser brother has remarked more times than I care to hear:

There is no need to worry about “microchips” in medicines. Microsoft has never developed a product that works flawlessly.

If you look at the CISA alert for Colonial Pipeline, guess what you will find?

Significant repetition from the alert above given some 15 months earlier.

And as above a lot of these recommended steps seem fairly easy to implement.

So what causes the failure to prepare?

Management and organization incompetence is no doubt responsible in some cases.

But on its website, Colonial Pipeline states that it is “Committed to Excellence”.

It is a private company reportedly owned by Shell, Koch Industries, KKR with a Korean pension fund, and several other pension funds and financial firms.

You would expect that it has first class management.

And the financial, technical, and human resources to take appropriate measures. 

It was quite a profitable enterprise based on its 1Q2019 financials.

It has demonstrated security “awareness” in other areas.

CP’s website has a “captcha gate" to keep out undesirables. I was, however, allowed entrance after performing a few Turing tests.

I don’t know whether this is a new feature installed after the ransomware attack (closing the proverbial barn door) or has been there for a long time.

Even stricter is the security for access to investor information.

You have to submit a request to CP’s Investor Relations Department with personal details and a justification of your need to know.

And they note they just might refuse your request!

Talk about cybersecurity! 

At least with respect to financial and corporate information.

Because the ransomware attack was successful, one might infer that similar security measures were not in place to protect pipeline operations.

Improving cybersecurity requires expenditure.

Sometimes management are unwilling to spend the money.

So what is to be done?

Repeated failures in cybersecurity suggest that faith in companies properly managing their affairs is more often than not misplaced.

As well, the invisible hand of the market appears to not only be invisible but also consistently absent in these cases. 

If Hometown Deli in New Jersey is shut down by a cyber attack, it’s one thing.

If a major pipeline is shut down, it’s another.

In one case it causes inconvenience. 

In the other it harms national security.

In the latter case -- a failure of the market -- the prudent approach is strict regulation along with substantial fines and other penalties.

If a critical infrastructure company cannot figure out on its own that cybersecurity is critical,  a statute will make it a requirement and penalize a company financially and otherwise, e.g, revoke its license to operate critical infrastructure, if it fails to develop and implement one.

Related post here.