Whatever your sector, ransomware attacks are changing how to think about platform security risk: Action steps
Recent high-profile cybersecurity incidents demonstrate that many companies now face platform security risk – risk to a group of technologies, infrastructure and resources that control or enable the provision of products and services through a system – regardless of industry or sector. Platform security risks are present whether the targeted platform is exclusively a technology platform or is a platform that consists of different components of which only some are “connected” and therefore prone to a cyberattack. Even seemingly “low tech” operations, like gas pipelines, likely include integrated, third-party technology software to improve efficiency of operations.
Today, virtually all companies rely on external technical solutions to effectively manage their businesses and keep a competitive edge. But the downside of incorporating new technology into business operations is that it creates new vectors for cyberattacks. This is true not just for data-driven tech companies but any company where the core products or services rely in any way on technology.
Platform-targeted attacks highlight the intrinsic vulnerabilities for today’s companies regardless of sector: targets can be found in healthcare (eg, hospitals), education (eg, universities and schools), food and agriculture, oil and gas (eg, pipeline operators), providers of critical infrastructure or electric energy (utilities). Even entire “smart cities” may be vulnerable.
The recent uptick in high-profile cybersecurity incidents and their impact on victim companies and end-customers should prompt businesses to assess, rethink and address their cybersecurity risks. Effective precautions and mitigators against cyberattacks will require companies to take a coordinated and holistic approach throughout their supply chain. Among the common types of threats for entities are ransomware (using encryption to render systems or data inaccessible until the ransom is paid), theft of data through SQL injection (injecting malicious code into a server or website), phishing (often phishing can lead to bad actors entering a network system to further deploy malicious code), or distributed-denial-of-service (DDoS) (an attack used to overwhelm and disrupt systems, servers, or networks).
The increased awareness around cyberthreats is also reflected in the federal government’s response to the recent high-profile attacks. For example, the Justice Department just formed a new group, the Ransomware and Digital Extortion Task Force, indicating the government recognizes this growing issue and is making it a priority to address cybercrime, especially ransomware attacks, and treat these with similar priority compared to terrorist acts. President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, issued in mid-May, creates new requirements and obligations for federal agencies and the private-sector companies that provide services to the government.
Why businesses should take note of the recent platform attacks
Two recent ransomware attacks, one targeting Colonial Pipeline, the largest pipeline system in the US for refined oil products, and JBS, the largest meat processing company in the world, perfectly illustrate platform security risk and why companies would do well to rethink and reevaluate their cyber-incident preparedness.
On May 30, 2021, JBS was hit by a ransomware attack, likely perpetrated by a group operating in Russia. This attack led to major disruptions for JBS’s operations, most notably shutting down facilities across the US, including those that supply close to a quarter of American beef. JBS operations in Canada and Australia were also impacted. According to JBS, the attack was resolved and operations were restored about four days after the incident had first been detected; full recovery of lost production was projected to take at least another week. While JBS is thought of as a meat company, its operations – running its facilities, keeping business records, documenting its distribution and shipping of meat domestically and internationally – all heavily rely on connected technology and IT systems.
While JBS publicly stated that it has no indication that customer, supplier, or employee information have been compromised, the attack had noticeable effects throughout the supply chain and the commodities markets. Reportedly, the results of JBS’s shutdown were visible in numbers related to livestock trading, slaughtering and wholesale meat pricing, prompting the Department of Homeland Security and other government agencies to closely track any potential price manipulations. The Department of Agriculture stated that it was working with competitor producers to help minimize any shortages resulting from the attack.
Because the attackers failed to gain unauthorized access to the core JBS IT systems and because the meat business has an inherently short production lifecycle, the cyberattack did not leave a lasting impact on food prices or trading process of livestock. However, a cyberattack that would create a shutdown longer than a week would likely result in a more significant impact. Furthermore, attacks on the agricultural, food and beverage sector could also present concerning food safety issues and even disrupt critical infrastructure supply chains.
The JBS attack comes on the heels of the Colonial Pipeline breach, which took place on May 7, 2021. Colonial Pipeline, operator of a vital fuel artery spanning 5,500 miles between Texas and New Jersey, was forced to shut down its pipelines after being subject to a cyberattack on its operational systems. Colonial’s pipeline is vital to millions of energy customers on the East Coast, transporting 45 percent of that region’s fuel needs. The temporary shutdown of this critical piece of energy infrastructure created significant volatility in gasoline markets as well as considerable consumer anxiety.
The FBI confirmed that the attack targeting Colonial Pipeline was conducted by Darkside, a criminal organization based in Eastern Europe that participates in ransomware-as-a-service activities. Ransomware is a type of malware that encrypts the victim’s systems, files or data making them inaccessible. To regain access, victims are asked to pay a ransom, typically via a cryptocurrency such as Bitcoin. The attacker promises that, once the ransom has been paid, the attacker will provide an encryption key, enabling victims to regain access and retrieve their files. Ransomware attacks are usually financially motivated and while there is no guarantee that the attacker will uphold the promise, it is often in their best interest to do so, to encourage future victims to pay in turn.
Darkside is known to utilize a double extortion model, which means that the data from the victim’s system is exfiltrated prior to encryption; this creates an additional threat that the data will be made public if the ransom is not paid (for example even if the victim is able to restore encrypted data from backup servers).
In the case of Colonial Pipeline, Reuters reported that the hackers exfiltrated more than 100 gigabytes of data. Colonial’s CEO, Joseph Blount, at the time unsure of the magnitude and effects of the attack, approved payment of a $4.4 million ransom in an effort to quickly restore operations. Following the shutdown, it took Colonial about five days to restore its systems and gradually resume its operations. The company publicly stated that specific markets would potentially continue to experience service interruptions in the product delivery supply chain following the restart.
Then, on June 7, 2021, in an extraordinary revelation, the Department of Justice confirmed that the FBI’s San Francisco branch had been able to trace the digital wallet holding the ransom and that it had recovered 63.7 bitcoins – currently valued at approximately US$2.3 million – of the total ransom that Colonial had paid. The FBI generally discourages the payment of ransomware, and OFAC has issued guidance to this effect as well, out of concerns that such payments encourage cybercriminals to pursue additional attacks. US media then reported that, while Colonial Pipeline appeared to be complying with the ransom demand, behind the scenes it was following instructions from the FBI which helped federal investigators track the payment to the hackers’ cryptocurrency wallet. This was the first seizure of ransomware assets coordinated by the newly formed DOJ digital extortion task force.
In the wake of these two high-profile ransomware attacks on critical infrastructures, senators on the Intelligence Committee demanded better traceability and regulation of cryptocurrencies. Similarly, US Energy Secretary Jennifer Granholm stated that she supports legislation that would ban ransom payments. We have yet to see how the increased number of high-profile ransomware events will shape the developing law and regulation around cryptocurrency. Some commentators have suggested that any attempt to regulate cryptocurrency will negatively impact the crypto ecosystem. However, others are of the view that the ability of law enforcement and financial institutions to trace, track and audit the movement of cryptocurrency would alleviate concerns about unchecked illegal activity. Thoughtful regulation, they suggest, could actually boost the use and acceptance of cryptocurrency as well as its potential viability as a legitimate global payment mechanism.
Both attacks also illustrate the need for companies to consider platform risk, particularly where the technology component that is used for the attack is not considered to be the company’s core asset but is critical to the company’s business operations. Similarly, providers of platform-related services that are critical to any other company’s operations or supply chain must ensure that cybersecurity risks are appropriately addressed as part of the company’s privacy and cybersecurity program. Indeed, this will be an increasingly important question in vendor due diligence or M&A transactions.
How cyberattacks on one company can swiftly affect entire markets
The Colonial Pipeline and JBS breaches are also good examples of how a cyberattack can lead to immediate repercussions in relevant markets.
The market impact of the Colonial Pipeline shutdown was felt both downstream from the pipeline at the consumer end and upstream throughout the supply chain. Given the pipeline’s importance to the East Coast fuel markets, gasoline prices rose by 2-4 percent in the days following the incident, and reports appeared of consumers panic buying and hoarding fuel out of shortage concerns. The ripple effects were also felt upstream from the pipeline across the Gulf Coast, where refiners had to curtail activity due to their inability to ship refined products along this key logistical route. Had the outage been prolonged, reduced refiner demand could have led to a rise in crude oil inventories and could have potentially affected the price spread between WCS and Brent.
Similarly, cyberattacks on other types of energy assets could create regional commodity volatility, pose threats to public safety, and impact the finances of energy companies. Among these assets: power plants, transmission grids, gas gathering and processing facilities, crude oil gathering systems and refineries, and gas-to-liquids facilities and storage facilities (including terminals and battery).
It is easy to imagine the waves of damage that could result from cyberattacks against companies in many different industries and sectors. For example, attacks on the aviation community could lead to instabilities for plane systems or disrupt ground control; attacks against water suppliers could leave regions without clean water; attacks targeted at companies in the food and beverage sector could present significant food safety concerns on top of shortages in supply. If, as many predict could happen in the near future, electricity to a major US city is interrupted due to a cyberattack, widespread panic and loss of life could ensue.
Given the severity of the threats and potential impact to national security, there is a growing consensus that companies cannot shoulder the entire burden of mounting an adequate defense and that the federal government must do more to protect the public.
The Executive Order on Improving the Nation’s Cybersecurity
On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity’ signaling the government’s concern about the increasing risks and threats cybersecurity attacks pose for the nation, entities, and individuals.
The Order establishes a set of requirements for federal government agencies and private entities that serve government agencies. However, private sector companies should also take note of the Order’s requirements as these will eventually shape how regulators and government agencies think about and evaluate private sector companies’ cybersecurity programs, preparedness and incident response plans.
In addition, government agencies, like private companies, rely on third-party suppliers to provide software and technical solutions or platforms in carrying out their tasks, which is why the Order’s requirements are likely to flow down to private sector entities. It is already the case that, in the US, certain sectoral privacy laws, such as in the healthcare or financial space, include provisions that address supply chain and third-party vendor risks to some extent, by requiring companies to conduct mandatory third-party risk assessments and vetting of third parties. We expect that such requirements will spread to other business sectors.
In summary, the Order aims to create more harmonization in how organizations treat and respond to cyberattacks by setting out certain key requirements, including reporting and information sharing requirements, enhancing and improving cybersecurity standards, and considering mandatory standardized cybersecurity playbooks which address such concerns as supply chain security and detection of vulnerabilities and attacks as well as mitigation and remediation thereof. The newly created Cyber Safety Review Board will oversee compliance and is tasked with reviewing and assessing significant cyber incidents and recommending improvements for incident response practices.
In addition, on May 27, 2021, the Biden Administration issued the Pipeline Security Directive through the Transportation Security Administration (TSA), requiring owners and operators of critical pipeline systems to (1) review current cybersecurity efforts against TSA’s recommendations and conduct a gap analysis including identification of any necessary remediation steps; (2) report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), including any unauthorized access to relevant technology systems, detection of malicious software, and other cybersecurity incidents that result in any operational disruption of the pipeline systems or facilities; and (3) designate a Cybersecurity Coordinator at the corporate level who is accessible to TSA at all times. According to reports, this directive will be supported by more robust mandatory rules that outline steps pipeline operators must take to protect themselves against cyberattacks.
In Congress, where various policy prescriptions from congressional committees are anticipated, Senator Mark Warner (D-VA) and Senator Marco Rubio (R-FL), the chair and ranking member, respectively, of the Senate Intelligence Committee, have already announced their intention to introduce legislation that will mandate certain cybersecurity incident reporting. Their proposal would require reporting by government agencies, government contractors and companies working in critical infrastructure and, according to Senator Warner, would provide appropriate confidentiality and limited immunity provisions.
In addition, National Security Adviser Jake Sullivan stated in a recent White House briefing that US officials, presumably including President Biden, hoped to see the role of cryptocurrency, as well as cyber incident preparedness for ransomware attacks, addressed through an action plan at the G7 summit. The summit was held June 11 - 13 in the UK.
Addressing platform risks: action steps for companies
In an increasingly digitized economy, creating awareness of platform security risks is critical. The Colonial Pipeline and JBS incidents illustrate the major implications companies face from platform attacks. To combat cybersecurity risks, companies should create a culture of awareness around types of cybersecurity risks, including platform risks; key to this would be inculcating an understanding within the company of how a cyber-breach could affect it: business operations disrupted or shut down, customer/client trust and relationships lost, reputations damaged, and, of course, the bottom line impacted, not least by the costs of remediation, investigation and the ransom itself.
Organizations should assume that they will at some point be a target, perhaps even a victim of a successful attack. Gaining appropriate visibility, understanding, and governance over the risks at hand is therefore key. The first step is to implement robust cybersecurity policies, programs and (role-based) trainings that are regularly reviewed, updated and tested.
The following are some key steps that companies should consider as they seek to mitigate platform security risks:
- Company and third-party due diligence and risk management: Third-party due diligence is critical to assess security risks. Companies must identify their most important assets and implement safeguards and procedures, including contractual security requirements, designed to protect these assets from cyber threats. This includes measures to continuously assess all internal and external systems, parties and relationships (including third-party service providers, suppliers and partners) and service or hardware components the company relies upon to successfully operate its business without disruptions. Ideally, where issues are found, they should be remediated prior to engaging with parties or deploying technologies or where already engaged or deployed, upon discovery. Additionally, to limit exposure, companies should not use third-party software solutions or connect to networks where not necessary to do so.
- Identity and access management: Identity and access management (IAM) is a fundamental concept in cybersecurity and dictates that authorized individuals have the appropriate level of access for the resources they need. An effective way of implementing this control is to apply the principle of least privilege, which grants users only that level of privilege which is essential to perform their assigned duties. Additionally, it’s important to ensure that user roles also abide by the segregation of duties – for instance, requiring more than one user to complete critical key decisions as a method to prevent fraud and error.
- Disaster recovery plan: Developing an effective disaster recovery plan requires an assessment of risks associated with failure of key systems or procedures. Whether the event is natural or man-made, it is critical to develop recovery time and point objectives as well as plans to meet those goals, in order to minimize potential downtime. Additionally, companies should have a data backup infrastructure that is geographically separate from their main site, and they should identify beforehand the sequence which machines and data should be brought back online in order to meet business critical needs. Maintaining clean backups (and testing and scanning backup software regularly) will help a company avoid being forced to paying a ransom.
- Incident preparedness and response: Incident preparedness and response are critical to the risk management strategy, providing internal guidance designed to help organizations prepare, respond, and recover from cybersecurity incidents. In the throes of a crisis, it can be difficult to coordinate among multiple different stakeholders, internally and externally. Valuable time can be saved, and stress can be minimized, when you have already created relationships with key external parties and vendors, such as outside counsel, forensics firms, credit and ID theft monitoring services or public relation firms. Engaging outside counsel from the outset also helps when attempting to establish attorney-client privileged communications. In order to reduce friction, companies should make sure to have an incident response plan in place with clear guidance and communication channels. Larger companies also often practice their incident response plan through training or tabletop exercises.
- Supply chain attack management: Companies that rely on third-party technology and software are particularly vulnerable to supply chain attacks because most of these third-party software products or services require privileged access, and companies often accept third-party software requests without conducting further investigation, introducing additional threat vectors. While the vector of attack in the Colonial Pipeline case is not yet publicly known, threat actors increasingly target third-party service providers, especially vendors that are trusted and connected to the victim’s network, as a method of entry. For this reason, performing detailed due diligence and risk assessments is critical to model, understand, and manage security risks holistically. From a management perspective, it is important for companies to identify single points of failure and introduce redundancies, strengthen controls, or accept the concentration of risk that shared platforms can produce. Furthermore, having a well thought out and exercised incident response plan will expedite business continuity objectives and provide guidance sharing of sensitive and confidential information relating to an investigation among interdependent parties.
- Security testing and patching: Too often, threats come in through known vulnerabilities that were left unpatched. In a fluid environment where technology is constantly changing and threats are continuously evolving, security testing and patching are essential tools to help secure digital infrastructure. Companies should constantly review their security practices and consider solutions to mitigate against risks. For example, they may wish to segment internal networks to block malware and ransomware from freely spreading across the entire company network; or they may wish to conduct penetration testing, which relies on dedicated teams with experience and technical expertise in network, operating system, and application level security who then mimic the actions of an adversary trying to break in. While the benefits of patching are generally straightforward, updating systems to remove known vulnerabilities often comes in conflict with business priorities, slowing operability. Good patch management programs ensure environments are functioning properly with minimal disruption to business procedures.
- Information gathering and sharing: Having situational awareness of emerging cybersecurity threats and vulnerabilities is vital to protecting platforms. Participating in information sharing groups, such as information sharing and analysis centers, can provide valuable and actionable intelligence to your information security teams.
- Contractual protection: Having thoughtful risk allocation - under offtake agreements, interconnection agreements, operating and maintenance agreements, supply agreements, processing agreements, and other material contracts that provide for performance – could help protect your company against liabilities or terminations arising from performance shutdowns. Additionally, in M&A transactions, it is useful to ask for applicable representations, warranties and preclosing covenants on the buy side. Additionally, considerations in M&A transactions should be given to applicable exclusions to covenants and representations regarding operating in the ordinary course of business and exclusions from material adverse effect (MAE) closing conditions.
Additionally, investment in new technologies and network architectures, as well as time-tested practices, can help strengthen an organization’s security posture. Newer concepts such as security by design and zero trust help both executives and security personnel bake safeguards into every part of the business. With cybercrime on the rise, it is essential that organizations reevaluate their current platform security awareness and posture. In particular, organizations should assess their relationships with third party partners, vendors, and platforms to ensure they have proper understanding and visibility of the associated risks. In order to strengthen safeguards, frequent updates and patches and up-to-date technical processes and solutions should be implement in a timely fashion, such as patches to known vulnerabilities, multi-factor authentication, zero trust, or third-party management tools to reduce residual risk. As the cyber space continues to evolve, so will its threats, making it that much more important to account for the risks and take preemptive actions to mitigate them.
To learn more about the issues discussed in this alert, please contact any of these contributors: