Cyber catastrophe, meet enterprise ransomware - How the Colonial Pipeline attack underscores the potential for criminals to cause large-scale losses
The recent double-extortion ransomware attack on Colonial Pipeline has once again brought enterprise ransomware into the spotlight for cyber underwriters and cyber risk aggregation modelers.
What started as an easy-money ransomware attack on one company turned into something far greater. The attackers, known as DarkSide, inadvertently took down 5,500 miles of critical US oil pipeline infrastructure. DarkSide, a financially motivated ransomware-as-a-service gang, apologized for the "social consequences" of the attack.
One week of downtime and a $5 million ransom payment later, Colonial Pipeline said its systems were back up and running at full capacity. However, before Colonial Pipeline restored its systems, thousands of gas stations ran out of gas as panic buyers rushed to fill up. State governors in Florida, Georgia, North Carolina, and Virginia implemented states of emergency due to gasoline shortages.
The attack underscores the rising need for underwriters to assess basic cyber hygiene alongside threat specific risks such as ransomware for organizations of all sizes across industries. The attack also calls attention to the risk of widespread contingent business interruption as a result of cyber attacks, and the attack is an example of accumulation risk due to cyber attacks on single point of failure (SPoF) technologies and companies.
Below, we provide the key details around the Colonial Pipeline attack that matter to (re)insurers. We also look into the top cyber security and (re)insurance takeaways.
Colonial Pipeline is a company with operations that are key to the economic health of the United States. The company's pipelines carry gas and other essential fuels, such as jet fuel and even cooking oil, from Texas to the Northeast. Overall, the company delivers roughly 45% of all fuel consumed on the US East Coast, including New York City. Colonial Pipeline also serves airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic.
On 7th May 2021, when Colonial Pipeline learned it was hit with a ransomware attack, the company responded by shutting down its entire pipeline operation as a precaution while the impact and technical detail of the attack were investigated further.
DarkSide reportedly took nearly 100 gigabytes of data out of Colonial's network in just two hours before encrypting the company's data and leaving a ransom note threatening to release the company's data if no payment was made.
The primary impact of the attack is on Colonial Pipeline and its shareholders. The company will suffer losses due to the breach of its data, a $5 million ransom payment, as well as lost revenue due to unexpected downtime for its pipeline operations. Colonial Pipeline could also suffer reputational damage as a result of the attack, especially if the company is found to be negligent in cyber security.
Cyber hygiene and ransomware risk at Colonial Pipeline
Prior to the attack, CyberCube's single-risk underwriting solution, Account Manager, flagged several high-risk signals for Colonial Pipeline including RDP Open Ports and Malware Infections.
An (re)insurer licensing Account Manager would have been well-positioned to surface high-risk signals that provide an indication of Colonial's susceptibility to cyber attack.
CyberCube observed high-risk RDP Open Ports on Colonial Pipeline's network prior to the ransomware attack. RDP stands for Remote Desktop Protocol and is denoted by TCP Port 3389, a Microsoft Protocol that allows a user's device to remotely connect to another computer. An RDP Port is commonly used as an entry point for a ransomware attack through methods such as brute force attacks to logins, credential stuffing, stolen credential utilization, or other means if a vulnerability exists.
The percentile rank above for Colonial Pipeline's Open RDP Ports denotes the count of Open RDP Ports relative to Colonial's peers in the same industry. Higher percentiles are better. A rank in the 12th percentile means that 88% of Colonial's peers score better.
CyberCube observed a malware infection on Colonial Pipeline's network named "trojan.win32.razy.gen". A Malware Infection is evidence of malware which is found on a company device. The presence of an infection indicates an attacker has a foothold in company infrastructure. Its presence demonstrates that a threat actor was or is still interested in attacking the company. The malware observed on Colonial Pipeline's network prior to the attack is primarily associated with cryptocurrency mining. However, once launched, it might alter Windows OS settings, drain a computer's CPU, corrupt files, gather personal data, record keystrokes, and even provide remote access. With a Malware Infection ranking in the 6th percentile, Colonial Pipeline fares among the worst of its peers when it comes to remediating attacker activities and payloads in its network.
CyberCube's technology dependency database also points to cyber hygiene risks for Colonial Pipeline. In 2021, Colonial Pipeline is using the entire Microsoft suite of products, which likely includes vulnerable Microsoft Exchange servers. We know that in November 2020, Colonial was also running the vulnerable SolarWinds product Orion.
CyberCube also flagged suspicious outbound internet traffic from Colonial Pipeline in early 2021, related to dark web activity. CyberCube also observed outdated web browsers and use of the vulnerable Microsoft OS Windows 7 at Colonial Pipeline.
Top three (re)insurance takeaways
(Re)insurers can gather at least three key takeaways from the attack. These include:
(1) The importance of assessing contingent business interruption risk
Outside of the impacts that will be felt by Colonial Pipeline and its shareholders; US fuel consumers ranging from individuals with travel plans to corporations that are dependent on fuel also suffered losses. The event calls to attention the increased importance of identifying and calculating companies' exposure to contingent business interruption risk due to cyber attacks. For example, airlines that rely on Colonial Pipeline to deliver fuel were at risk of unplanned downtime due to an attack on their key supplier. On the other side of the supply chain, oil producers were feeling the impact of Colonial's shutdown. According to the Financial Times, the interruption left some Gulf coast refineries without an outlet to offload their oil, forcing them to cut production by up to 500,000 barrels a day.
(2) The importance of assessing accumulation risk for cyber attacks on SPoF
Colonial Pipeline is one type of a single-point-of-failure (SPoF). Colonial's operations connect to 30 different oil refineries and nearly 300 fuel distribution terminals throughout the United States. Thousands of gas stations, consumers, and hundreds of companies including mass-transit hubs such as airports and more, rely on Colonials to deliver fuel. All of this interconnectivity in the US energy supply-chain means that when one key supplier like Colonial Pipeline suffers downtime many other entities suffer as a result.
(3) The importance of modelling accumulation risk for oil infrastructure attacks
CyberCube Portfolio Manager can help (re)insurers assess accumulation risk specifically related to the disruption of a leading mobile offshore oil rig manager. Our realistic disaster scenario is related to the Colonial Pipeline attack in several ways.
Specifically, we can help (re)insurers model an event in which a nation-state threat actor develops malware targeting security flaws in programmable logic controllers (PLCs) used extensively in the control systems of mobile offshore drilling units (MODUs).
Comparing this scenario to the Colonial Pipeline attack we can see that both are cyber attacks causing business interruption impacts to the oil and gas industry. In both, targeted malware is the general cause of the incident. We model an outage time of one or more weeks, and the Colonial pipeline outage lasted approximately one week. Both have expected cost components of lost revenue, detection and escalation costs, additional expenditure and demand surge, and legal liability, etc.
What's next for ransomware and cyber catastrophe modelling?
While we have yet to see a true accumulation catastrophe event in cybersecurity, the writing is on the wall, and recent attacks like Colonial Pipeline are an indication of what is to come next.
Enterprise ransomware threat actors are targeting SPoF cloud computing technologies. For example, the latest iteration of the DarkSide ransomware that hit Colonial Pipeline includes the ability to target Linux machines including ESXi hypervisor systems specifically. ESXi is a Type-1 hypervisor (aka a "bare-metal" hypervisor) developed by VMware. A hypervisor is software that runs and manages virtual machines (VMs). Targeting VMs gives attackers a single-point of attack to incentivize max payouts. Note, VMware holds an overwhelming majority of the worldwide virtual machine market share.
It should now be abundantly clear to insurance industry stakeholders that cyber attacks with catastrophic scope (and the potential for catastrophic losses) are possible. In the last six years, there have been incidents which have highlighted that the issue is no longer a theoretical possibility — it's an urgent concern. In 2021, it will be widely acknowledged that a rigorous and structured approach to cyber risk accumulation management is a prerequisite and a necessity for all (re)insurers.
Only accumulation management programs that can adequately model SPoF, and assess SPoF related contingent business interruption, will be poised to compete in the new cyber threat landscape.