Cybersecurity 101

Lessons Learned from the Colonial Pipeline

Cyber Attack
Dennis Hackney, Ph.D., CISSP, CMMC RP
Head of Industrial Cybersecurity Services Development
ABS Group
Kyriakos “Rock” Lambros
CEO and Founder
RockCyber, LLC
© 2021 ABS Group of Companies, Inc. All rights reserved.
ABS Group

ABS Group provides data-driven risk and reliability solutions and technical services that help clients confirm the
safety, integrity, quality and environmental efficiency of critical assets and operations.
ABS Group is focused on adding value to the industries served and strategically capturing synergies with the
American Bureau of Shipping (ABS).

1000+ 20+ 50
Employees Countries Years

ABS Group is headquartered in Spring, TX, USA

and is an independent subsidiary of ABS, one of the
world's leading marine and offshore classification
societies founded in 1862.

2
RockCyber, LLC

Founded in 2018, RockCyber provides advisory services to critical infrastructure organizations to

decrease their risk to safety and revenue through a curated program that:

• Baselines the capabilities of your current

cybersecurity programs
• Gaines executive support because
cybersecurity problems are triaged in
terms of business risk
• Appropriately secures and allocates
INCREASED funding
• Achieves peace of mind by guarding
digital and physical processes
• Increases confidence through measuring
the effectiveness of cybersecurity investments

3
Questions

• Enter your question(s) in the GoToWebinar “Questions” section anytime

throughout the presentation.

• A PDF copy of this webinar’s presentation will be available in the

“Handouts” section of the GoToWebinar panel.

• Today’s webinar is being recorded and will become available at:

www.abs-group.com/webinars

• Please allow 1-2 business days for the webinar recording to be posted.

4
Agenda

01 Colonial Pipeline

02 Chronology of the Attack

03 DarkSide

04 Anatomy of the Cyber Attack

05 Pipeline Operations and Systems

06 Cyber Risk Mitigation

5
Colonial Pipeline

• Privately-held Company
 Owned by several American and foreign
companies and investment firms, including
Koch Industries and Royal Dutch Shell
 Located in Alpharetta, GA
 Served East Coast since 1960’s

• Critical Infrastructure
 Sector: energy, chemical
 Supplies Gulf Coast oil to eastern and
southern US
 Transports 2.5MM gasoline, diesel, jet fuel,
other refined products
o 5,500 miles of pipeline
o 45% of East Coast fuel supply

6
Chronology of the Attack
Date (2021) Information Updates
May 6-7 Cyber event took place… Information provided by Colonial Pipeline:
Incident involved ransomware; Proactively took certain systems offline to contain the threat; Temporarily halted all
pipeline operations and affected some IT systems; Company informed that it might have affected the industrial control
systems that regulate oil flow
May 8 Primary Focus: Safe and efficient restoration of service and efforts to return to normal operation; Minimize disruption to
our customers and supply chain; Attack under investigation by cybersecurity firm “FireEye Mandiant”
May 10 FBI and third-party cybersecurity firms are assisting in the ongoing investigation, response and recovery; Department of
Energy (DoE) and the Cybersecurity and Infrastructure Security Agency (CISA) are also involved; CISA has named
pipeline infrastructure as one of 55 National Critical Functions (NCF)
May 11-12 Website down and New website security protocols in place; Pipeline operations resumed at approximately 5pm ET;
Executive order to improve U.S. cybersecurity signed; President Biden’s Executive Order: “The private sector must
adapt to the continuously changing threat environment”
May 14 Colonial Pipeline paid DarkSide nearly $5 million in ransom; Once DarkSide received the payment, the hackers
provided a decrypting tool to restore Colonial Pipeline’s disabled computer network; Although system is getting back
online, analysts say the current gas shortage could last weeks
May 18 Colonial Pipeline experienced intermittent network outages throughout the day; Shippers were unable to make
nominations; Colonial Pipeline explained that hardening efforts caused networking outages
May 28 DHS-TSA released Security Directive Pipeline-2021-01 - , Owner/Operators required to have Cybersecurity
Coordinators and must report to the cybersecurity incidents to CISA w/in 12hours and Vulnerability Assessments are
mandatory and due by June 27th.

7
DarkSide

• About the Attacker

 FBI has been investigating DarkSide since October 2020
 DarkSide has previously targeted a variety of industries, including manufacturing, energy and insurance.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined
government and look for other our motives.
Our goal is to make money, and not creating problems for society.
From today we introduce moderation and check each company that our partners want to
encrypt to avoid social consequences in the future.”

• Government Involvement
 Federal Bureau of Investigation
 Department of Energy
 Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)
Anatomy of the Cyber Attack

The Ransomware After Gaining Access to Victim’s Network

Ransomware-as-a-Service (RaaS) Deploys its ransomware to encrypt data and is selective with the files
it encrypts

Encourages actors to use Monero cryptocurrency Targets Windows Shadow Copy and common backup solutions

Affiliates an administrative panel over The Onion Router (TOR) to: Exfiltrates victim data, threatening victim to publish it, pressuring to
pay the ransom
• Access communications with victims
• Manage the administration of malware • Double extortion trend

Data Encryption

• Encrypts files on fixed, removable media and network storage

• Salsa20 Encryption
• RSA-1024 Public Key
• Support in both Windows and Linux environments

9
Anatomy of the Cyber Attack

Indicators that caught our attention

• There were 165 provided indicators

• The last three don’t have Hashes or
Signatures

Indicator Notes Hash Type Hash

Setup.exe MD5 08646478a2ba16fa350a650e03bd115f

disguised as
PuTTY.exe MD5 4812449F7FAD62162BA8C4179D5D45D7
copy.exe

Darkside
winrun.exe ransomware 7769cea037ebf692f1d94bab37aaa9d01c5db0dd
executable

part of RDP/TOR B9D60D450664C1E8FBFD6B2EC58FDEB2FD817

svchost.ese SHA256
backdoor 97E183906A4536B59BC4F79846F
Mozilla Firefox
Firefox.exe
installed by TA
Firefox.exe
PsExec.exe
Pipeline Operations and Systems

Pipeline Operations Are Commercial Business and Operations

Heavily Automated Are Tied

Each valve, pump station, and tank

farm will have computerized devices Transportation Service Providers
like PLCs, RTUs, Modbus Gateways to (TPSs) automated the business
read sensors and provide closed-loop processes behind pipeline operations
control

Midstream companies use what is TSPs use fully integrated on-premises

called Supervisory Control and Data or cloud-based solutions to monitor
Acquisition (SCADA) in their control quantities, schedule quantities and
centers for control and monitoring invoice customers

11
Cyber Risk Mitigation
What are the risks?
• Most OT systems take advantage of network connectivity, but increased connectivity exposes your operations to the threat of
attack.
• These connections offer more ways to penetrate your defences and more ways to remotely take control of your operations.
• Unfortunately, the more network visibility and control you have, the more that you could potentially surrender to a cyber attacker.

This is what you can do:

Network
Monitoring
and Alerts
• Monitor OT and IT
networks remotely
24/7/365
• Utilize advanced
technology designed
specifically for OT
networks
• Access threat detection
analysts to reduce false
positives and increase
accuracy
Asset Vulnerability
Management Management
• Detect rogue devices • Prioritize resources based
plugged into foreign on risk and vulnerability
networks • Identify outdated operating
• Integrate asset inventory systems, firmware,
planning using protected software updates and
data patches
• Enhance vulnerability
management with accurate
risk ratings
Configuration
Management
• Detect changes made to
industrial control devices,
including Programmable
Logic Controllers (PLC)
• Log information
conveniently with
Management of Change
(MOC) documentation

12
Additional Resources

MTSA Cyber Workshop: Complying with U.S. Coast Guard Regulations [June 23, 2021 Webinar]
Cyber Risk Management Advisory for Critical Infrastructure Worldwide [Press Release]
OT Cybersecurity: How to Evolve Faster Than Cyber Criminals [On-Demand Webinar]

Subscribe to Our Podcast:

EPISODE 13
The Casualties of Cyber War:
Exploring the Colonial Pipeline Shutdown

EPISODE 12
Cyber in the Supply Chain: When Things
Go Wrong

-- Search Risk Matters X.0 on Spotify, Apple or Google Podcasts --

13
Questions

• Enter your question(s) in the GoToWebinar “Questions” section anytime

throughout the presentation.

• A PDF copy of this webinar’s presentation will be available in the

“Handouts” section of the GoToWebinar panel.

• Today’s webinar is being recorded and will become available at:

www.abs-group.com/webinars

• Please allow 1-2 business days for the webinar recording to be posted.

14
 Thank You

Dennis Hackney, Ph.D., CISSP, CMMC RP Kyriakos “Rock” Lambros

Head of Industrial Cybersecurity CEO and Founder
Services Development
dhackney@absconsulting.com rock@rockcyber.com
www.abs-group.com www.rockcyber.com