With ransomware attacks continuing to target the nation’s critical infrastructure, the Biden administration is planning to conduct more targeted efforts working with the private sector to help them protect their operational control systems from theses kinds of potentially crippling malware, a senior administration official said on Monday.
The Department of Energy in mid-April began a 100-day cyber sprint focused on strengthening the cybersecurity of electric utilities’ industrial control systems, which are responsible for getting electricity to customers. The White House said then that there would be additional cyber sprints targeting “multiple critical infrastructure sectors” but didn’t identify them.
The sprint around the electric utilities will be followed with cyber sprints with natural gas pipelines, water and other critical infrastructures, Anne Neuberger, deputy national security advisor for Cyber and Emerging Technologies on the National Security Council, said during the daily White House press briefing.
Neuberger’s appearance at the briefing followed the disclosure on Saturday by Georgia-based Colonial Pipeline Company that it suffered a cybersecurity attack and “proactively” shut down certain systems to “contain the threat.” The company has hired a cybersecurity firm that is investigating the incident.
Colonial Pipeline transfers refined fuel products to customers along the East Coast and Mid-Atlantic regions of the U.S. On Monday, the company said segments of its pipeline are being brought back online in a “stepwise fashion” and that it expects operations to be completely restored by the end of this week.
Neuberger said the ransomware used in the Colonial Pipeline attack is the Darkside variant, which the FBI has been investigating since last October. She also described the particular malware as “ransomware as a service variant where criminal affiliates conduct attacks and share the proceeds with the ransomware developers.”
Asked by one reporter during the media briefing what advice the administration has for victims of ransomware, Neuberger responded that, “The first and most important advice is secure your systems.” She pointed out that the Darkside variant is “known,” adding that the “FBI has investigated many cases of this in the past.”
Known indicators of compromise, which refer to the specific malware code used by attackers, are distributed by the U.S. government and other entities in the cybersecurity ecosystem so that defenses are quickly put in place to prevent attacks from a previously used virus.
In a ransomware attack, the perpetrators typically encrypt important data and offer to free it up once a ransom is paid. Increasingly, criminal organizations using ransomware are also stealing data and threatening to release it if the ransom isn’t paid, giving them more leverage against the victim.
In addition to the upcoming sprints targeting various critical infrastructure sectors, Neuberger said that the administration is taking the threat of ransomware “seriously,” saying the federal government is available to work with the private sector in supporting their efforts to boost cybersecurity. So far, Colonial Pipeline hasn’t asked the federal government with help responding to the latest incident.
Neuberger said the government is “working to disrupt ransomware infrastructure,” highlighting the FBI’s recent work with international partners in disrupting the Emotet and Netwalker variants. She also pointed out that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is conducting its own cyber print focused on countering ransomware attacks on small and medium-sized businesses.
She also said the administration is pursuing “greater international cooperation” to combat ransomware, noting that it is a global concern.
“Transnational criminals are most often the perpetrators of these crimes and they often leverage global infrastructure and global money laundering network,” Neuberger said.
Taking aim at industrial control systems, also called operational technology (OT), goes beyond the threat of holding an entities’ sensitive data hostage to putting at risk the populations and economy in a locality or region served by a particular critical infrastructure, in this case fuel pipelines.
John Cofrancesco, vice president for Government at Fortress Information Security, told Defense Daily that overall, security around operational technology in the U.S. is “weak” and “is encouraging adversaries to take advantage.”
Commenting on the Colonial Pipeline incident, Cofrancesco said that “If we are going to stop these types of attacks, we have to begin to take a serious look at the supply chain of every asset that goes into our critical infrastructure. Whatever weaknesses these guys used they almost certainly could have been secured if the supply chain of the assets had been thoroughly analyzed. We will never be able to get rid of very vulnerability but we could substantially reduce the aperture by which the bad buys can get in by looking before something gets into the OT architecture.”
In response to the Colonial Pipeline incident, Neuberger said the government is bringing together stakeholders, including state and local governments, to ensure information is being shared quickly so that entities can protect themselves.