Colonial Pipeline partial ransom recovered?

If YOU ran one if those agencies and had budgetary control, wouldn’t YOU make sure of it? I sure would.

Oh yeah. Can you think of a single nefarious underworld tool that isn’t exploited by government? I can’t. Besides, the line between government agents and criminals can get blurry. But in this case I’m in for the FBI a hundred percent. That shutdown impacted me personally quite a bit. I want them to catch and fry the bastards.

They did do us the favor of exposing how vulnerable we are, though, although I won’t hold my breath waiting for redundant pipelines to be built.
 
They did do us the favor of exposing how vulnerable we are, though, although I won’t hold my breath waiting for redundant pipelines to be built.
Redundant pipelines, fine. But even a single pipeline managed by a company that can run their systems without getting their digital pants pulled down would be just as good, right now.
 
@Rushie makes some good points. Cyber security in this country is extremely vulnerable. If these hackers could interfere with the colonial pipeline, what else can they manage to get into? More than we realize… It’s a big, big flaw that needs attention!
 
@Rushie makes some good points. Cyber security in this country is extremely vulnerable. If these hackers could interfere with the colonial pipeline, what else can they manage to get into? More than we realize… It’s a big, big flaw that needs attention!
Cyber security does not pay. It makes it harder for people to do their jobs. As long as there is no jail time, the executives have no real incentive to ensure cyber security is implemented or accept the coat. Only companies that their lively hood depends on the trust have done anything about it. E.g. Visa, MC, AmEx all felt the pressure and came up with PCI-DSS to avoid federal regulations. But as a general rule, companies are proving they can survive and there is no downside to running risky.

Tim

Sent from my HD1907 using Tapatalk
 
Cyber security does not pay. It makes it harder for people to do their jobs. As long as there is no jail time, the executives have no real incentive to ensure cyber security is implemented or accept the coat. Only companies that their lively hood depends on the trust have done anything about it. E.g. Visa, MC, AmEx all felt the pressure and came up with PCI-DSS to avoid federal regulations. But as a general rule, companies are proving they can survive and there is no downside to running risky.
I have to disagree, almost completely. "Almost" because, yes, it most certainly DOES make it more difficult for people to do their jobs, just like locked display cases and anti-theft devices in retail stores do. But there is a huge incentive to employ security measures even without jail time. It's called staying in business. If you leave your operation vulnerable, it most likely will eventually get burned to the ground and everything you have will be stolen... along with everything with which your customers have entrusted you. It's a great way to ruin your reputation and end up going out of business.

So why do so many companies NOT do what they should be doing? For the most part it's a combination of ignorance, incompetence, false economy, and overconfidence. They don't know what they should be doing. They don't hire the people they need and pay them what they need to in order to do what needs to be done. They think they won't be the target of an attack.

I'm coming from one of the most highly regulated environments (a very large financial institution) that sends hundreds of millions every year on security. Information security is deeply ingrained and yes, it makes it a real pain in the rump to get anything done. Some of that was brought on my regulatory requirements, but a lot is simply done to keep us from looking like complete idiots by getting invaded by one of the thousands of break-in attempts our info security teams see every single day.

And I'm about to go to a very small business that has, at present, close to zero regulatory oversight. I know that's going to change, but even if it weren't... if this business is going to survive its infancy, it has to grow up wearing full body armor (covered with poison-dipped porcupine quills) and armed to the teeth, figuratively speaking. A fair amount of my time and energy will be spent trying to protect and defend the company's systems against attacks, and more importantly, making sure that when an attack is successful, we can brush it off and resume normal operations again.

Of course we have an advantage over a lot of companies. We're starting as an all digital, all on line entity, and have the opportunity to do it right (albeit at higher cost) from the start. I do not envy existing older companies that have added on-line presence and capabilities over the years (like our unfortunate pipeline friends) and have needed to adapt and change constantly to handle new threats. It's got to be tough to convince corporate management that info security is as important as it really is, and that it's getting more important and more challenging (and therefore more expensive) year after year. You have to convince people that they need to spend more money this year than last year, and even more next year than this year, to prevent something that hasn't happened and, if you're diligent enough and lucky enough, may never happen. I'll bet Colonial Pipeline's info sec budget just got its decimal point moved, and hopefully it will serve as an example to a lot of other companies... but not enough of them, I guarantee it.
 
It's called reputational risk. Most companies and executives understand physical risks (your product injures someone, you get sued)... But far fewer understand "reputational risk". They understand business interruption and insure for that - I'd expect that to come into play for Colonial.

In the financial world, reputation is far better understood than in the online marketplace/brick and mortar world.... Trust is the basis of financial business. Government/military contracting - it's both understood and mandated. In other businesses, reputation doesn't mean nearly as much, in part because folks realize that privacy was lost long ago. Companies like Facebook, Google, Amazon give lip services to reputation because - where else are you going to go??? Car dealers are in a similar category.

Until company executives understand and care about reputational risk, OR until they have to pay both direct and consequential damages, there's going to be less emphasis on true network security than there should be.
 
CIOs and CSOs tend to get fired after a big, public breach. So they are certainly motivated to put in place the best security they can. But that doesn't necessarily mean they are given the budget to do so.
 
@DaleB

You are discussing reputational risk.

FinTech only has PCI-DSS because the Senate and House started to have congressional hearings and inviting the heads of banks, Visa and MC.
FinCEN, with the associated AML and bank laws were all off shoots of this, with PCI-DSS blunting the vast majority of the proposed cyber security laws.

I may disagree with many aspects of PCI-DSS, but it has done wonders for reducing the regulatory risk to the FinTech industry.

However, look at the Capital One breach a few years ago. What was the impact? What was the impact to FB? Google had one a few months ago, what was the impact? What has happened to Apple with all the iCloud breaches? What has happened to all the virus software which makes it into the Apple Store?

So far, only industries which are tightly regulated or threatened with tight regulations have treated cyber security with respect. Otherwise, it is lip service at best.

I say all this as a consultant who designs and fixes large applications to meet PCI-DSS, FISMA or DoD security requirements. I have been doing this for over thirty years, and bouncing between federal and commercial consulting.

Tim

Sent from my HD1907 using Tapatalk
 
CIOs and CSOs tend to get fired after a big, public breach. So they are certainly motivated to put in place the best security they can. But that doesn't necessarily mean they are given the budget to do so.
I haven't seen any fired in any of the recent ransomware stuff. The pipeline put up a job posting but they looked more like they never had one to begin with. Unless you've got a link...?

Maybe this happened in the 90s and early 2000s but they just wave their hands and say "complex threat" nowadays and aren't replaced.

Mostly because they're right. It's impossible to protect the combo of bad OS security and bad browser security if the machines are ever allowed to wander freely in the internet cesspool. There's no effective protection for that. There's stuff that can catch yesterday's bugs but not all the zero days.

All zero day really means is: We wrote crap software. Like everybody else.

But I haven't seen many CISOs fired in forever. Not common.

Ours is leased. "Firing" him would just mean we don't renew a contract and he continues working on multiple other places. They wouldn't drop him just because we did. They probably wouldn't even know we did.
 
So far, only industries which are tightly regulated or threatened with tight regulations have treated cyber security with respect. Otherwise, it is lip service at best.

And even the tightly regulated ones in our sector have now started telling regulators that it doesn't matter how tightly regulated they are, or how much they spend on it...

A direct quote from one of a handful of enormous companies in one of our business spaces to a federal regulator...

"It doesn't matter if I hire 20 or 30 more security people, and everyone here knows what that costs... Up against a nation-state, I lose every time."

He's right. And it goes 100x for those of us smaller than him. In true cyber espionage or "warfare", we're owned in days if not minutes. He might last a month. If he's lucky.

I know you know this but I don't think the average person does. The pipeline wasn't even a nation-state attack... Nor was Garmin... Or most of the banking things mentioned here.*

* Unless maybe you count black market funding of criminal groups or simply looking the other way inside your country's criminal regulatory systems. Arms-length and all that jazz...

Even the largest outages and such so far have just been criminal phishing campaigns that kicked them off... Awareness and training helps but aren't a true fix for a world that generally trusts email for business and doesn't pick up a phone much.

Out of all of the official requests for info I've seen from fiscal, medical, DOT, DOD, and Elections customers guess which two questions I've never seen on documents with up to 200 security and auditor questions...

1. How many dedicated security staff do you employ?

2. How many hours per year does your staff spend working on security projects directly?

The answers to those would be enlightening wouldn't they? **

** Assuming organizations would even answer them and not say "That's none of your business..."

Enlightening or not though, it ultimately doesn't work anyway. Not for the long term. Only air gaps and physical security truly work for years at a time. Every software layer from the drivers up, always has holes. A dedicated attacker will exploit them.

The security industry is doing a lot of hand waving at the software supply side threat after SolarWinds. There's very few businesses who can afford what it would take to truly defend against that.

We got some dumb "alerts" that there's two Russians working for a company we use for their... Text editor. Not criminals, just two Russians.

Yeah, like I care... Thanks for the warning, DHS. Lol. Yes. It was DHS.

Did they get a tip of criminal activity from some other Intel branch but can't say? Hell if I know.

But we aren't swapping out our developer's favorite text editor for "there's two Russians working in a team of 100 developers on that editor."

More like "thanks for the laugh"...
 
@denverpilot

And here I thought I was a cynic. :)
Against nation states, yeah. Basically impossible, but in that case the focus should be mitigation and recovery. Often overlooked aspects of cyber security.

With that said, I have built systems that have passed audits and white hacker attempts hired by federal agencies. It can be done, just dam difficult, and requires extensive planning and acceptance of certain losses (e.g. some level of information loss on workstations).

Tim

Sent from my HD1907 using Tapatalk
 
@denverpilot

And here I thought I was a cynic. :)
Against nation states, yeah. Basically impossible, but in that case the focus should be mitigation and recovery. Often overlooked aspects of cyber security.

With that said, I have built systems that have passed audits and white hacker attempts hired by federal agencies. It can be done, just dam difficult, and requires extensive planning and acceptance of certain losses (e.g. some level of information loss on workstations).

Tim

Sent from my HD1907 using Tapatalk
Heh. You're exactly right.

The cynicism probably began some time around us becoming tangentially involved in stuff DHS is (rightly) interested in and we have an IT staff of three.

If others in our space have 20-30 dedicated security staff and we have three "catch as catch can" staff wearing six hats... Simply a reality at our size...

We're baked if someone actually goes after us.

And nation-states are interested in the stuff one of our six businesses does.

Do they really care about our piece of it or could they gain anything from messing with us? Hell if I know.

I'm just the guy having the hallway conversation with the Accountant ...

"Man, this security stuff is expensive. I told the bosses it's killing us."

"Our customers have a 30 to 1 ratio of full time security staff to us. They expect certain things theyve been doing for decades. We don't even have a single full timer."

Are we really dying? No. I expect accountants to do that job of whining about costs consistently or I would wonder if they're doing their jobs.

As far as our part in it, like my boss said ... "We do whatever they want to pay for, and tell them the risks."

It's very similar to the other thread on mechanics. Our bosses don't know much about system security but the regulators say they're in charge of doing it. They delegate to me, and I've done it at much bigger places with budgets capable of supporting it. I say, "Here's the next thing you should do and it'll take a year and cost X."

Unless a regulator forces it, they're stuck knowing we recommended it and their customers won't pay for it. Their customers just think it probably is getting done. If we hand them a paper that says we passed any particular audit, maybe they like it maybe they don't.

What they want done will change next week with the new list of zero day announcements. It'll be on next year's checklists and by then the zero day flaws are completely different.

The software biz has never truly told the customer how expensive it is to build software right in most sectors. Nor priced it correctly.

A staff member took all six of our companies offline this week. He had legitimate but poorly intentioned access to something he wasnt trained or qualified on to get him access to something he needed to do in the same system. I wouldn't have ever given him that access but I was vetoed years ago on that one. Business reasons.

It worked until it didn't. He felt bad. Lots of reports and stuff to say "He shouldn't have had access to things he didn't understand."

Multiply that by millions of people and you have the current state of the industry.

We changed the access and started three significant projects to alleviate someone else accidentally doing it in the future. I'd guess a few hundred man-hours of work as a start. All because someone way above us wanted stuff he does done quicker than a change controlled process would ever allow and didn't get him any training.

There was rumblings of firing the guy. I was the first to say in the meetings that their anger at him was misplaced if they never trained him on what he was doing. And it wasn't a security issue. He was authorized to be in the system he was in. They didn't put proper controls around his work.

That's a security problem but not one that I can fix. They will probably lock him out anyway and make someone else do that work, but he didn't do it maliciously or breach anything.

Still took everything down. And I truly mean everything.

Came up with some stuff where the same mistake would only take down a fraction of the stuff and I'll get that risk partially mitigated through a better design, but he had access to the self destruct button and didn't know it, and pushed it.

Security wise I'm not sure if a dedicated malicious person could have figured out that buried self destruct button was even there but if they got only a small bit of read only access to a workstation and looked, they'd see big hints of it. So ... Could have been far worse.

By the way, all those nice gonernment and private testers who were given that much access without having to even break in to do it, completely missed it. They had the visibility to it and only needed one more step of easy social enginering to exploit it. Easy.

That same industry guy with a huge security team talking to the regulators candidly even mentioned that problem, "There's no standard in pen tests. I can buy a good one or a bad one. You'll accept either one."

The industry is in a really bad spot right now. You have to buy expensive things to meet regulators desires but the regulators don't set any standards on those things.

The industry group asked the regulators to make recommendations that a national lab take over both the standards and the testing. They want nothing to do with the liability of guarding stuff against bad nation-state actors. They also want nothing to do with their required documents being waved around by politicians with agendas in open hearings.

The really bright guy went so far as to say either set real standards and do the testing you want, or classify the documents such that the politicians can't publish them without approvals that would allow for a reasoned response.

Pretty interesting meeting. He wasn't wrong. None of us has anything to hide but we also know all that paper is ultimately fairly meaningless. The checklists are yesterday's threats. Tomorrow's threat won't be on the expensive checklists. Never are.

Locked the gate after the chickens got out.
 
It's called reputational risk.

@DaleB

You are discussing reputational risk.
Sigh. Yes, I do understand what reputational risk is, thanks. I get my risk management training classes every year, and occasionally a bonus round when they change our corporate training system for the umpteenth time and can't keep track of who's already done what. That said, reputational risk is not what I was talking about. I'm not talking about those morons at huge corporations who screwed up royally, screwed millions of their users, and got away with it without so much as a whimper. They just had minor little thefts of data. Besides, reputational risk is meaningless when your customers are addicts (FB, Google) and you've effectively got a monopoly on their drug of choice.

I'm talking about companies who get owned like CP, but who lack the millions of dollars to pay the ransom. Or the companies who are targeted by fake ransomware -- "Pay us and we'll restore your data" -- but the data is gone; it never was backed up or encrypted, the thieves simply deleted everything and demanded payment for it. Small companies that will quite literally just go out of business if they get hacked and their data is lost. Sorry, we can't rebuild everything from scratch, we just found out our backups (assuming there ever were any in the first place) are useless. Lock the doors, turn out the lights, tell the employees sorry, but they're on their own now.

I suppose one could argue that if they don't have a business continuity plan, tested and verified, and offsite replication of data to an immutable repository that maybe they don't deserve to survive. Like a shop in NYC that doesn't bother to install security bars on the windows, or whatever other example you like. But there are tens of thousands of small companies in this country that can't really afford top notch help, let alone top notch systems, and for every @tspear or me or whomever there is out there that could help them, there are hundreds of incompetent twits who will be happy to bleed them dry while not providing anything of real value. Since IT is not among their core competencies, they don't know how to sort the wheat from the chaff -- assuming they even thought to look in the first place.
 
This is coming from a guy whose computer knowledge ended with MS-DIS 1.0. Would the pipeline co. breach have been prevented in their code (not the data channels, but the command-and-conrtol code) had been embedded in ROM? Is that even possible or close to feasible these days?
 
This is coming from a guy whose computer knowledge ended with MS-DIS 1.0. Would the pipeline co. breach have been prevented in their code (not the data channels, but the command-and-conrtol code) had been embedded in ROM? Is that even possible or close to feasible these days?
It was the billing system that got hacked. Nothing to do with the actual control room stuff.
 
It was the billing system that got hacked. Nothing to do with the actual control room stuff.
If only they had hit the executive compensation files then I wouldn't feel as sorry for the victims...
 
If only they had hit the executive compensation files then I wouldn't feel as sorry for the victims...
Not sure how knowing the compensation packages of a privately held company gets a competitor's pipe in the ground so there's an actual workable backup plan.

Looks like the Harvard whiz kid running Colonial made about $2M a year at the last place before he went into private ownership, if that helps.

I don't see how it would. No backup pipe is no backup pipe.

The public hasn't wanted backup pipes for nearly 50 years. Nor refineries. They didn't want them when my company I worked for in the early 90s applied to build them.

Got exactly what they wanted.

Not holding my breath waiting to see the protestors marching that they want a second pipeline and refinery infrastructure to stop it from happening again. Ha.

Dude's getting paid either way.
 
Not holding my breath waiting to see the protestors marching that they want a second pipeline and refinery infrastructure to stop it from happening again. Ha.

I’m convinced most of the general public can’t see the connection between the oil and gas industry in Texas and what comes out of the nozzle that they put in their car.
 
Not sure how knowing the compensation packages of a privately held company gets a competitor's pipe in the ground so there's an actual workable backup plan.

Looks like the Harvard whiz kid running Colonial made about $2M a year at the last place before he went into private ownership, if that helps.

I don't see how it would. No backup pipe is no backup pipe.

The public hasn't wanted backup pipes for nearly 50 years. Nor refineries. They didn't want them when my company I worked for in the early 90s applied to build them.

Got exactly what they wanted.

Not holding my breath waiting to see the protestors marching that they want a second pipeline and refinery infrastructure to stop it from happening again. Ha.

Dude's getting paid either way.

P=pipeline
x=number of pipelines
H=computer hijacking
R=ransom$
R=HP(x)
 
Last edited:
I’m convinced most of the general public can’t see the connection between the oil and gas industry in Texas and what comes out of the nozzle that they put in their car.

Completely agree. Nor do they see the connection between oil and gas, or hydro or coal industries and "I just plug my e-car into the outlet and it charges for free ... it's magic"
 
In Higher Ed where I work, the cyber insurance companies are making it almost impossible to get cyber insurance now. They changed all the rules just before renewal and nobody has time to implement what they are asking for before they cancel the contracts. In my state they can't raise rates without notice so what do the insurance companies do? Just cancel everyone every year.

I used to lose sleep over the possibility of a breach figuring I would be the sacrificial lamb but anymore that doesn't happen very much. The reality is we can do all the hardening in the world but if a staff or faculty member willingly gives up their credentials we could be screwed. If I do get fired maybe I will get a job pumping gas at the local airport. :biggrin:

As far as the pipeline I wouldn't be surprised if the whole thing was orchestrated by the FBI. They recovered all of the money gave the customer part back and paid for their operation with the rest. :stirpot:
 
The public hasn't wanted backup pipes for nearly 50 years. Nor refineries. They didn't want them when my company I worked for in the early 90s applied to build them.

Should that one pipeline be permanently compromised life would get difficult for many people.
 
Should that one pipeline be permanently compromised life would get difficult for many people.

Why would a backup pipeline help? Wasnt it the billing and accounting system that was hacked?
 
Why would a backup pipeline help? Wasnt it the billing and accounting system that was hacked?

More of a general comment about pipelines in general. Everyone wants energy, many don't want additional ways of transporting energy.

Transporting energy by dirty locomotive and tractor trailers is considered green yet transporting energy by clean pipeline is considered dirty. Go figure.
 
I’m convinced most of the general public can’t see the connection between the oil and gas industry in Texas and what comes out of the nozzle that they put in their car.

Yeah. May be most. But it became a whole lot more when a certain oil dude was appointed as Secretary of State.
 
Why would a backup pipeline help? Wasnt it the billing and accounting system that was hacked?

I was thinking it should be a whole different company with separate computer systems, not just CP having two pipes.
 
I’m convinced most of the general public can’t see the connection between the oil and gas industry in Texas and what comes out of the nozzle that they put in their car.

I'm in Texas, lived here forever and don't understand this myself living in El Paso:

1. I'm physically 3 hours away from the rigs driving time
2. We have multiple refineries in our town
3. We have multiple pipelines in both directions

Yet, given the above, our fuel prices DESPITE those refineries are HIGHER than Austin which is furthr and no refineries ...
 
I'm in Texas, lived here forever and don't understand this myself living in El Paso:
Yet, given the above, our fuel prices DESPITE those refineries are HIGHER than Austin which is furthr and no refineries ...
In general, not all refineries produce finished gasoline and all retail gasoline prices are set by independent suppliers. There is no direct relation between the refinery and the gas pump in most situations. Even those cities that host some of the largest finished gasoline refineries or gasoline blending facilities do not enjoy the cheapest gasoline retail prices for the same reasons. Supplier volume, supply routes, gasoline blends, local taxes, customer demand, etc. all play into the regional difference in prices regardless if there are refineries near by.
 
I'm in Texas, lived here forever and don't understand this myself living in El Paso:

1. I'm physically 3 hours away from the rigs driving time
2. We have multiple refineries in our town
3. We have multiple pipelines in both directions

Yet, given the above, our fuel prices DESPITE those refineries are HIGHER than Austin which is furthr and no refineries ...

I live a 20 minute drive from the largest oil refinery in North America. Gas prices are pretty low here, or at least were until...
 
I thought I just said that...:):):)

Power lines are cheaper than pipelines, also less prone to environmental disaster if they break.
Also, easier to put up from both regulatory and construction side (regulatory wise, they still suck big time, and people scream NIMBY).

Tim (still too cheap to trade his aging Subaru for an EV)
 
Power lines are cheaper than pipelines, also less prone to environmental disaster if they break.
Also, easier to put up from both regulatory and construction side (regulatory wise, they still suck big time, and people scream NIMBY).

Tim (still too cheap to trade his aging Subaru for an EV)

I’m still driving a 1986 diesel Mercedes. They can pry it from my cold dead hands.
 
Power lines are cheaper than pipelines, also less prone to environmental disaster if they break.
Also, easier to put up from both regulatory and construction side (regulatory wise, they still suck big time, and people scream NIMBY).

Tim (still too cheap to trade his aging Subaru for an EV)

um, electricity isn't the only thing produced from oil...
 
um, electricity isn't the only thing produced from oil...
Based on what I have read in the news, the pipelines provide almost exclusively gas or gas variants used by transportation with some limited amount to power plants.

So I was being cheeky about the debate of switching to an EV, we do not need for pipelines.

Tim

Sent from my HD1907 using Tapatalk
 
Power lines are cheaper than pipelines, also less prone to environmental disaster if they break.
Also, easier to put up from both regulatory and construction side (regulatory wise, they still suck big time, and people scream NIMBY).

Tim (still too cheap to trade his aging Subaru for an EV)

While that may be true, we will need new larger power plants and the infrastructure to get the coal, oil, and nat gas to the generation sites. The raw energy will still need to be transported.
 
While that may be true, we will need new larger power plants and the infrastructure to get the coal, oil, and nat gas to the generation sites. The raw energy will still need to be transported.

Hmmm.... we need to transport sunlight? :)

Tim (pulling your leg)
 
While that may be true, we will need new larger power plants and the infrastructure to get the coal, oil, and nat gas to the generation sites. The raw energy will still need to be transported.
If the automotive "answer" is electric, the source answer is likely nuclear.

It won't be power lines that will be hard to get the public to approve...
 
Ahh. Heard this one today...

Getting 85% back insinuates a 15% fee to whoever had already owned the group from the inside...

Somebody had the crypto keys and was happy to assist law enforcement fot a 15% fee...

Probably someone already working with them from being caught earlier...

Anyway... Plausible...ha.
 
Ahh. Heard this one today...

Getting 85% back insinuates a 15% fee to whoever had already owned the group from the inside...

Somebody had the crypto keys and was happy to assist law enforcement fot a 15% fee...

Probably someone already working with them from being caught earlier...

Anyway... Plausible...ha.


No, that’s the 15% minimum corporate tax.....
 
Back
Top