Ransomware Resilience for Pipeline Operators
DOI:
https://doi.org/10.15662/IJEETR.2024.0602010Keywords:
ransomware, pipeline cybersecurity, recovery, incident response, SEC disclosure, TSA directivesAbstract
The Colonial Pipeline breach in May 2021 effectively rendered ransomware against pipeline operators a real concern. In the 3 years since the breach, BlackCat, LockBit, the CL0P group with their MOVEit data theft exploit, Play Ransomware and Akira Ransomware, amongst others, have all attacked pipeline operators. Simultaneously, authorities such as the TSA have issued new requirements and the SEC's cyber disclosure ruling took effect in December 2023. This paper investigates the nature of the ransomware threat today, the anatomy of a ransomware incident impacting a pipeline and outlines an architecture of defense-in-depth based on five essential capabilities: Prevention, Limitation, Detection, Response and Recovery. Finally, it addresses critical issues affecting pipeline ransomware incident response: reliance on manual operational procedures, the decision-maker responsible for ransom payment and the regulatory compliance and reporting deadlines imposed in parallel to incident response activities
References
[1] U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” Joint Advisory AA21-131A, May 2021.
[2] U.K. National Crime Agency, U.S. Department of Justice, and partners, “Operation Cronos: International Disruption of LockBit Ransomware,” February 2024.
[3] U.S. Cybersecurity and Infrastructure Security Agency, “#StopRansomware: ALPHV Blackcat,” Joint Advisory AA23-353A, December 2023, with updates from earlier in the year.
[4] U.S. Cybersecurity and Infrastructure Security Agency, “#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability,” Joint Advisory AA23-158A, June 2023.
[5] U.S. Cybersecurity and Infrastructure Security Agency, “#StopRansomware: Play Ransomware,” Joint Advisory AA23-352A, December 18, 2023.
[6] Mandiant, “M-Trends 2023: Cyber Security Insights,” April 2023.
[7] U.S. Cybersecurity and Infrastructure Security Agency, “Known Exploited Vulnerabilities Catalog,” ongoing, established November 2021.
[8] U.S. Department of Homeland Security, Transportation Security Administration, “Security Directive Pipeline-2021-02D,” July 2023.
[9] U.S. Securities and Exchange Commission, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Final Rule, Release 33-11216, July 26, 2023; effective December 18, 2023.
[10] U.S. Department of the Treasury, Office of Foreign Assets Control, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” September 21, 2021 (and subsequent guidance).
[11] W. Barker, K. Scarfone, W. Fisher, and M. Souppaya, “Ransomware Risk Management: A Cybersecurity Framework Profile,” NIST Interagency Report 8374, February 2022.
[12] Dragos, Inc., “Year in Review 2023: ICS/OT Cybersecurity,” February 2024.
[13] U.S. Cybersecurity and Infrastructure Security Agency, “Cross-Sector Cybersecurity Performance Goals,” updated March 2023.
[14] National Institute of Standards and Technology, “The NIST Cybersecurity Framework 2.0,” February 26, 2024.
