New cybersecurity requirements issued for Colonial, other pipeline operators

New federal cybersecurity requirements for U.S. pipeline operators were issued Tuesday by the Department of Homeland Security after a devastating ransomware attack struck metro Atlanta’s Colonial Pipeline in May.

The department is now requiring operators of federally designated critical pipelines to implement “specific mitigation measures” to prevent ransomware attacks. Operators must also implement contingency plans and conduct what the department calls a “cybersecurity architecture design review,” according to the Associated Press.

Colonial Pipeline Reportedly Paid Nearly $5 Million in Ransom to Hackers.According to Bloomberg, Colonial Pipeline Co. paid the ransom in difficult-to-trace cryptocurrency within hours after the attack, .which contradicts earlier reports that the company had no intention of paying any extortion fee.The hackers, which the FBI said are linked to a group called DarkSide located in either Russia or Eastern Europe, specialize in digital extortion.A source familiar with the company’s efforts stated the hackers provided a decrypting tool upon receiving the payment, .though the tool operated so slowly that Colonial continued using its own system to restore operations.Colonial said it began to resume fuel shipments Wednesday evening

Colonial Pipeline has already been hit with at least two lawsuits for negligence following the cyberattack that left fuel shortages and long gas-station lines throughout the Southeast.

EZ Mart 1, a Wilmington, North Carolina, gas station and convenience store, is alleging Colonial Pipeline Company’s negligent management led to last month’s fuel shortage after Russian hackers locked up the company’s computer systems.

The complaint, which was announced by the law firm of Morgan & Morgan, alleges Colonial failed to adequately safeguard its pipeline’s computer systems, leading to a breach on April 29 and a subsequent successful ransomware attack.

“EZ Mart 1 and other similarly situated gas stations allegedly suffered significant monetary losses during and after the five days that passed before the company restarted the gas pipeline,” Morgan & Morgan said in a statement.

The hackers didn’t take control of pipeline operations, but the Alpharetta-based company shut it down to prevent malware from affecting industrial control systems.

Colonial is also facing another lawsuit, this one filed May 18 in the U.S. District Court for the Northern District of Georgia. Plaintiff Ramon Dickerson said the company breached its duty to employ industry security standards which resulted in system outages that harmed consumers by raising prices at the pump.

On June 7, U.S. investigators announced they had recovered most of the ransom paid to the Russian-based hackers known as DarkSide by Colonial Pipeline.

In June, Colonial CEO Joseph Blount told Congress the hackers infiltrated the company’s IT systems through a legacy VPN system that was not intended to be in use.

“We are deeply sorry for the impact that this attack had,” Blount told Congress. “We quietly and quickly worked with law enforcement in this matter from the start, which may have helped lead to the substantial recovery of funds recently announced by U.S. Department of Justice.”

The company decided soon after the attack to pay ransom of 75 bitcoin, then valued at roughly $4.4 million. Though the FBI has historically discouraged ransomware payments for fear of encouraging cyberattacks, Colonial officials have said they saw the transaction as necessary to resume the vital fuel transport business as rapidly as possible.

Blount told Congress the company was in the process of accepting a TSA offer for a comprehensive cybersecurity review when the pandemic struck.

Ransomware attacks — in which hackers encrypt a victim organization’s data and demand a hefty sum for returning the information — have flourished across the globe. Last year was the costliest on record for such attacks. Hackers have targeted vital industries, as well as hospitals and police departments.

Weeks after the Colonial Pipeline attack, a ransomware attack attributed to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months, disrupted production at Brazil’s JBS SA, the world’s largest meat processing company.

The ransomware business has evolved into a highly compartmentalized racket, with labor divided among the provider of the software that locks data, ransom negotiators, hackers who break into targeted networks, hackers skilled at moving undetected through those systems and exfiltrating sensitive data — and even call centers in India employed to threaten people whose data was stolen to pressure for extortion payments.