U.S.'s Biggest Gasoline Pipeline Halted After Cyberattack (opens in new tab)

You think Fireeye had massive security lapses because they reported they were hacked. Everyone else was also hacked and FireEye was the only one that figured it out and blew the whole thing wide open. Now if the best incident responders in the world can’t always prevent malicious activity on their network, how is an oil company going to do that? Or utilities, transporters, hospitals, defense contractors, or universities? The truth is everything is vulnerable, and what you think is the stability and security of all the other organizations you don’t hear about getting hacked, is just the current set of hackers working hard to be discreet. I think if war was to break out with certain other nations we’d find it in a hurry how much our infrastructure has already been compromised.

IT is typically grossly understaffed and underfunded in these businesses. At the site-level, you'll see some very out of date tech running critical systems. IT is a cost-center to be reduced as much as possible, oversight is non-existent.

Its difficult to chastise a country that misses the forest for the trees, when that country has spent sixty years formenting a culture of blind consumption and wilful ignorance of anything STEM. instead of a flourishing culture of hacking and computing, the united states through DMCA and law relegated the notion to comic books and hollywood fiction. most of the public war drumming for 'hacking' (if it could be said to exist at all in 2021) is a thinly veiled surrogate of consumerism.

What reason would we have to blame the company for poor security hygene? what possible outcome could we hope for when in 2021 nearly every Solarwinds customer renewed their license after the hack.

I'm here to bring a message from the future: they did have usable backups, according to a news article published just a few days after this one:[0]

> Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

It's hard to get the full story from a single article, and larger publications like the Washington Post tend to focus on the most recent statements from federal agencies and corporations rather than details that you and I find more interesting. Sometimes I wish that newspapers would do more of a synopsis of news stories a month or so after the fact to give more context and "lessons learned" or "what impact has this had?". I would prefer that much more to the "breaking news" approach.

[0] https://www.bloomberg.com/news/articles/2021-05-13/colonial-...

Was just gonna say this sounds like your classic case of a business scoffing at the high price of software devs.

I'd wager a guess that their current IT team was worked to the bone on profit-focused projects, but will be 100% blamed internally by the execs.

Executives are rewarded extremely handsomely for short-term returns. Even if the company goes under, they've long ago accumulated enough wealth to live out their lives fabulously. The incentives to invest in security are weak.

> There’s nothing in this article indicating the operator has a recovery plan in place involving restoring backups to get these systems online.

No one cares about that type of work that’s why. It’s ridiculous but true.

This one in particular is good because, it's public, it's not that scary, but it's easy to make the jump to scary attacks.

Absolutely, it's better to have a ransomware attack against the workstations instead of a more developed attack that blew the pipeline up.

Agreed. It also tells us where bug bounty rewards should be in value. As the structure of bug bounty programs are completely wrong and the rewards are undervalued.

The market is literally saying they are undervalued.

The flogging will continue until bug bounties improve.

I think I understand your POV and can see why one might find some peace in it, but I don't. More crime, or I suppose mroe news about it, so we know how much crime costs? More attacks make us safer? It's a means justify the ends argument, but it doesn't hold water.

It's eerily similar to "burn it all down" https://en.wikipedia.org/wiki/Accelerationism, which, itself is on the rise and burning from both ends.

I infer your point to be that more attacks might cause the victims to step up their defenses. It's a cat and mouse game. Always has been in all realms.

"It'll get worse before it gets better." I've been hearing that for decades. I'm starting to wonder, due to what appears to be a decline in civility. Following the rules only works if we all do. Those who eschew the rules have an obvious advantage.

Where has integrity gone? We are tearing ourselves apart and justifying it ... or coming to terms with it I suppose, by saying it'll be better some day.

Well... when... exactly? By what measure will we know?

I know Stephen Pinker, Hans Rosling, and various folks say it's the best time to be a human. Okay. Sure. I see the math. I'd like to see them update their charts for data out over the past year.

But ... anecdotally, none of that math seems to percolate down to my community. The people around me are in constant fear. I just saw a woman walking down the road, all by herself, I had clear vision for a mile and so no one else but her... and she was wearing a mask.

She was afraid. She was anxious. Regardless of the relative safety that exists today, or the belief that it'll be safer tomorrow because of the lack of said safety, the people around me aren't feeling it.

They're buying guns because red people are coming for them... or the blue people already are. Or the government will. There is literally no milk at the store because of an HDPE shortage prompting the grocer to put a Force Majeur notice on the dairy fridge door.

Trust has broken down. Fear of our own neighbors is up. Crime is up. Poverty is up. Suicide is up. Cyber crime is up. Inflation is up. The Gini coefficient is up.

I really have trouble believing that making it worse real fast, or even reporting more of it, is going to make it better.

I don't see it.

I work in control systems OT space. A lot of distributed control systems and scada systems interface with the business layer in some fashion to provide access to time series and event data and to allow for alerts via email/mobile. Some people do this properly with good network segmentation, firewalls, A/V and patching, etc (there are several standards that dictate best practice). That said, even when doing it properly you're introducing attack vectors. I don't think it would be a firmware vulnerability, but instead something malicious affecting the computers they use to control the process.

Shutting down pipelines is insanely expensive. Under normal circumstances maintenance work, including welding, is done on live pipelines. The guys that do that job are extremely well compensated, last I knew hundreds an hour, and maybe a little crazy.

A shutdown is a huge deal and means they’re taking this extremely seriously.

The WaPo article itself is much more detailed. The bits about the age and fragility of Colonial's pipelines are far more significant than ransomware. Colonial's continued neglect is more disruptive than any single attack on the pipeline. The persistence of unreliable infrastructure is a more valuable disruptive asset to an organized opponent than a single targeted attack.

Tangent - Also interesting, the WaPo article [0] bears little resemblance to itself from only hours ago [1]. The article has grown by about 50%, while contents have come and gone. That's my favorite application for archive dot is - Seeing the timelapse of iterative releases, watching journalism bend and sway in the current of its own response. I'm not making any judgements, the internet is already sloshing with useless hot takes about journalism and media. It's just fascinating to see the modern editorial process at work, out in the open.

[0] https://www.washingtonpost.com/business/2021/05/08/cyber-att...

[1] https://archive.is/vlNs2

20 odd posts and yours is the only sensible one.

It's certainly a security incident but until we know more it's hard to say the infrastructure was specifically targetted for an 'attack'

Wellll sort of. The "Da Vinci" virus claimed it was going to capsize oil tankers in order to cause an ecological disaster. Not just shut down a pipeline.

Give ‘em a cookie! Hack the planet!

I know you play the game!

More movie recommendations please

What would be the difference between having a data diode between your control and monitoring network and external monitoring systems, versus just splitting the monitoring part off into a completely separate network with ordinary two-way traffic?

Those devices don’t work like a nuclear bomb control does - that is adding resistance/controls to taking an action.

The appropriate analogy is more like a nuclear reactor. They require some system controls to stay functional and healthy (water temp increases in loop x, increase motor speed of pump y, if already at or exceeding speed z, set off an alarm).

These controls need constant monitoring in a control station somewhere, sometimes tuning or fixing if there is a bug or issue somewhere, etc.

A lot of the cost of a nuclear plant is trying to cover every possible scenario and being compliant with endless regulations for stuff like this (and everything else).

That most non-nuclear plants don’t want to deal with the hassle and expense shouldn’t surprise anyone. That non-nuclear plants often don’t even TRY to cover basic cases SHOULD dismay and surprise people. These issues have been well known and publicized for literally 30 years.

A reason safety guys in these industries have the saying ‘regulations are written in blood’ is often not because no one sees the danger. Rather, until the body count reaches a certain point, no one can justify the expense to require it be fixed.

> the'two-man' rule used to launch nuclear bombs?

Yes. It's called Threshold Cryptography and it generalizes 'two-man' rule to require that N of M authorized users agree to an action.

But it's not really necessary here. What's needed for infrastructure is to get it off the internet and to quit using insecure operating systems and languages.

>It's only a matter of time

According to some sources, it's been done before:

>CIA plot led to huge blast in Siberian gas pipeline

>Thomas Reed, a former US Air Force secretary who was in Ronald Reagan's National Security Council, discloses what he called just one example of the CIA's "cold-eyed economic warfare" against Moscow in a memoir to be published next month.

>Leaked extracts in yesterday's Washington Post describe how the operation caused "the most monumental non-nuclear explosion and fire ever seen from space" in the summer of 1982.

>Mr Reed writes that the software "was programmed to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds".

https://www.telegraph.co.uk/news/worldnews/northamerica/usa/...

It's like 100x more expensive.

Would be nice to have separate data lines, running fiber optics sealed in pressurized conduits for double tamper detection. The military actually does this for their critical infra.

One such example... a test done at the Idaho National Lab

https://www.wired.com/story/how-30-lines-of-code-blew-up-27-...

That lab tends to specialize in cybersecurity and infrastructure.

https://www.wired.com/2011/10/idaho-national-laboratory/

The critical infrastructure part of the lab:

https://inl.gov/critical-infrastructure-protection/

"It's only a matter of time, there's gonna be physical casualties at some point in time. We've all seen it in the movies."

You mean like a pandemic? ;)

Easier: Microsoft Windows

Both are correct.

The state of computer security is unacceptable and needs to be fixed. Today its profit-motivated extortionists, but anything they can do is also an option for spy agencies, and is it really that hard to imagine anti-oil activists pulling the same stunt some day?

On the other hand, crypto is the thing behind the profit motive. If crypto is impractical (if there were no way to convert it to real currency), the profit incentives for these attacks (and mining, for that matter) break down.

I realize this isn't a popular opinion around here, but we should probably do both.

(2) isn’t wrong though. Ransom ware dates to 1989 but the uptick goes hand in hand with the rise of crypto currencies for the obvious reason that you don’t steal what you can’t fence and cryptocurrency has changed the risk and feasibility dramatically.

I’m not saying I support government action here but we should be honest about the situation.

That's quite a strawperson - it creates a fictional story and then criticize the characters.

The U.S. government has been addressing computer security in infrastructure for a long time.

That a pretty low effort dig at the government. What the hell does that have to do with something that is obviously state sponsored cyber espionage? Go troll somewhere else

Both options sound sane, so I guess it will be

3) blame Russia/China

Didn’t see anything about ransomware in the article?

3) investigate and neutralize the groups behind the cyberattacks

That would be domestic terrorism and is an easy way to turn the entire population against the cause

You just brightened my day.

Before the bitcoin you would ask for release of prisoners. https://en.wikipedia.org/wiki/Lufthansa_Flight_615 or get steady funding https://en.wikipedia.org/wiki/Carlos_the_Jackal https://www.rferl.org/a/carlos_the_jackal_on_trial_for_1980s...

To take the last high-profile ransomware gang stopped, if we ignore for a moment that the US didn't find them, you think sending US special forces into Ukraine to arrest or kill some unarmed dudes in a basement would have aided US interests more than just having local law enforcement arrest them? Does this policy of deploying troops expand to gangs in NATO member states and other close allies?

>If people attacked our hospitals and pipelines with explosives we wouldn't sit by and do nothing.

You are proposing that we attack them with explosives, are you fine with them retaliating in kind?

What if you lived next to some hackers targeting a foreign country, would you think it's acceptable to get blown up for their actions?

Precisely ascribing the origins of a malware attack, with 100% confidence, to one specific nation state is a very hard problem to solve. The time/effort that it would take for one nation to launch an attack on a 2nd party, seeming to come from a third-party, or one of their own adversaries, is not very great.

At least not with the 100% confidence that politicians would want before the US military starts dropping JDAMs on buildings.

I would give fairly even odds that something like this is the work of an organization nation state, and also even odds that it's the work of some underemployed teenagers in a basement.

lol war machine? what war machine? there's proxy wars and internal civil conflicts happening abroad, and definitely shady profiteering in some places, and definitely refugee crisis many of which are caused by climate change actually...but what war machine are you talking about? there's no real war out there. if there was, most of us wouldn't be here posting anymore. I hope to God there's never actual war out there.

I think the issue there is data, even on critical infra. Modernization, reliability and the such require data analysis. There are definitely ‘strong’ ways of protecting the assets and mitigating attack vectors, but almost no way to eliminate them entirely. For example, event if you isolate the process computers you’ll typically have an interface node that presents the data up a level (hopefully to a DMZ). Obviously you can be compromised if that interface node is.

Some critical infra is air gapped though. Other systems implement SIS systems in parallel with general process systems to mitigate catastrophic failure further.

In 1983 the US military hived off MILNET, their portion of teh interwebz. Perhaps it's time for infra to do likewise. Too simple?

Companies like this are tax dodges that socialize risk. The limited partners enjoy fat returns with minimal downside.

> Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into major storage tanks, and with energy use depressed by the pandemic, the attack was unlikely to cause any immediate disruptions.

https://www.nytimes.com/2021/05/08/us/cyberattack-colonial-p...

Why would oil prices jump? This isn’t an oil pipeline.

Oh, what a surprise, another unexpected event pumping oil prices.

Security through obscurity is not security

How would that help in any way?