Colonial Pipeline attack shows cyber criminals looking at high value targets

The Colonial Pipeline cyber breach has realised the fears of Governments and regulators around the world, but what warnings should infrastructure operators in the UK and Europe heed? The recent ransomware attack on the Colonial Pipeline in the US – the most important fuel artery on the Eastern Seaboard of the US – shows a worrying trend of cyber criminals pursuing high-value targets, and demanding increasingly high ransoms. This ransomware attack has reportedly ricocheted along the supply chain, forcing the pipeline's operators to shut down the main part of its network, suspending fuel deliveries and forcing refiners to engage freight suppliers at inflated cost.

It has realised the fears of Governments and regulators around the world – including the UK and Europe – who have, in recent years, been placing an emphasis on improving and regulating the security of the network and information systems of critical national infrastructure. 

But what warnings should operators heed in the UK and Europe?

• First, network and information systems used to support critical infrastructure are now firmly in the sights of attackers. Not only has the Colonial Pipeline been a target in the last week, but also the Health Service Executive in Ireland, in the critical healthcare sector. The impact of attacks on critical infrastructure and services are clearly offering attackers the significant leverage needed to extort high ransoms.

 

• Secondly, almost all critical infrastructure assets are now digital, and what might look like isolated systems may still be subject to vulnerabilities that can be exploited. Anecdotally, we have heard of situations where systems supporting critical infrastructure, that had been thought to operate on independent networks and systems, were capable of being comprised regardless through other systems.  It has yet come to light exactly how the Colonial Pipeline was breached; but critical infrastructure providers should now, more than ever, be looking into potential vulnerabilities in their networks and systems, and possible links between critical assets and the internet that could be exploited.

 

• Thirdly, being prepared for ransomware attacks is critical.  It is not just a question of having back-ups in place, but sometimes the ability to switch over from impacted systems to other separate network and information systems.  There is not always a sufficient level of redundancy or resilience for network and information systems used to support critical infrastructure assets. 

 

• Fourthly, having in place risk mitigation strategies for ransomware attacks, including appropriate insurance and access to personnel who have the skills necessary to deal with ransomware extortionists is key.  With the publicity given to ransomware payments in recent times, there may well be consequences for firms who are unprepared and pay out ransoms to their attackers.  We're yet to see if the attacks against Colonial Pipeline might be followed by further extortion events depending on what the attackers may have taken control of, or extracted from the systems that they encrypted.

 

• Finally, understand the regulation. Operators of essential services in the UK and Europe will have obligations under Network and Information Security laws to take appropriate technical and organisational measures and, perhaps more importantly, make disclosures to regulators in the event of a security incident. Fines can extend up to £17 million in the UK for certain material contraventions. Given the potential consequences, preventing and responding to cyber attacks should be firmly on the radar for operators of essential services.

Fieldfisher is one of the few UK & European law firms with the specialist legal expertise to advise clients on how to mitigate the risk of cybersecurity, prevent cyber-crime threats and breaches, and deal with them when they occur.

We offer practical legal advice and support, including crisis counselling, drawing from our long and successful track record in the area.

Please contact James Walsh, James Seadon, or Hazel Grant if you would like to discuss your cyber security concerns and processes.