7 Crisis Management Lessons From Colonial Pipeline’s Response To Cyber Attack

Friday’s ransomware attack on Colonial Pipeline created a crisis for the company and the country and is providing several important lessons for business leaders on how to respond and manage crisis situations.

As reported by the Washington Post, “Colonial’s 5,500 miles of pipelines carry fuel from refineries on the Gulf Coast to customers in the southern and eastern United States. It says it transports 45% of the fuel consumed on the East Coast, reaching 50 million Americans.”

A Major Test For Biden

Politico observed that, “The attack presents a major test for how the Biden administration will respond to cyber attacks on critical infrastructure at a time when hackers are increasingly targeting essential utility services. The outage, depending on its duration and who is found to be behind it, could send fuel prices in the southeastern U.S. above $3 a gallon, market analysts said.”

“The attack,” CNN said, “comes amid rising concerns over the cybersecurity vulnerabilities in America's critical infrastructure following recent incidents, and after the Biden administration last month launched an effort to beef up cybersecurity in the nation's power grid, calling for industry leaders to install technologies that could thwart attacks on the electricity supply.”

Initial Lessons

Although the crisis continues to unfold, it’s not too soon to point out some of the best practices that are being followed by Colonial Pipeline and the U.S. government.

Tell People What Happened

Last night the company posted a statement on its website, saying it had learned that “... it was the victim of a cybersecurity attack. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

Colonial Pipeline, however, did not provide any details about the attack, such as when it happened or the demands that were made by the terrorists.

Call In The Experts

Colonial Pipeline said in the statement that, “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have already launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.”

Establish Priorities

“Colonial Pipeline is taking steps to understand and resolve this issue,” the company said in the statement. “At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”

Don’t Speculate

As reported by the Washington Post, “Federal law enforcement and homeland security officials are investigating the matter. They do not yet know whether the attack on top U.S. fuel pipeline operator Colonial Pipeline was carried out by foreign government hackers or a criminal group, the officials said.

“It’s ‘too early’ to tell, said one official, speaking on condition of anonymity because the investigation is ongoing.”

Take Control

Scott Sobel is senior vice president for crisis and litigation communications at kglobal, a public affairs and public relations firm. He observed that, “Cyber terrorists are criminals of opportunity, looking for weaknesses and preying on businesses that have more to lose than just losses stemming from the first attack.

“Colonial and the authorities bit the bullet and shut down the rest of Colonial’s pipeline systems not affected by the first attack. This preemptive action took control from the terrorists and mitigated the long term affects, the intimidation and leverage the terrorists hoped for.”

Send The Right Message

Sobel said, “The proactive moves, hopefully will prevent Colonial from being attacked again in the same way by these criminals and also sends a message to others that Colonial will react with strength to future confrontation.

“Of course, this particular game is still in play with Colonial but the message has been sent that Colonial and other large companies have deep enough pockets and the hutzpah to weather this kind of battle and take measures to win the war in the future, “ he concluded.

Isolate The Problem

Bryan Hornung is the founder of Xact IT Solutions, a cybersecurity firm. He said, “With any cyber attack, the first thing you want to do is isolate the problem by disconnecting it from the Internet, which it appears they have done as of Friday. Now it's all about getting the recovery/cyber insurance team the access it needs while ensuring no one else can get access to the network.

“Once this is done, the team will need to determine if data was exfiltrated and what leverage they have to reduce the ransom demand, if at all. Once they decide to pay the ransom or not, Colonial is still looking at a heavy investment for new infrastructure because you can't rebuild on the same network that was infected. You're starting over.”

Advice For Business Leaders

Hornung said, “... incident response planning is critical and should be part of every organization's business plan. All companies should be striving for cyber resiliency by:

• Identifying assets
• Putting a plan in place to protect those assets
• Implementing the tools to detect if those assets have been breached, developing a written plan to respond so everyone knows what to do
• Executing a recovery that, if developed correctly, will make the event easier to get through

He said that without a recovery plan, “... you are prone to mistakes, missteps, and human error, which leads to longer recovery times, and a larger loss of revenue. It's always less expensive to take care of things on the left side of ‘the boom’ than on the right side after an event,” he counseled.

More Cyber Attacks Ahead?

Brad Brooks, CEO of OneLogin said Friday’s attack, “... represents how quickly the stakes are escalating on cybersecurity, with controlling and knowing who has access to your IT systems a board-level priority for every company. 

“We are moving from an invisible Cold War that was focused on stealing data to a highly visible hot war that has real implications for physical property and people’s lives,” said.

Anurag Gurtu is the chief product officer for Strike Ready, a cyber security platform. He noted that, “There seem to be some chatter within the intel community regarding DarkSide ransomware being linked to the Colonial Pipeline system attack. Darkside has an Italian origin...It claims to avoid targeting companies within the education, healthcare, and government sectors. Another active ransomware that is tracked by [the] StrikeReady intel team and linked to Italy is Adhubllka Ransomware. 

“The other two insanely active ransomware attacks that are targeting [the] oil and gas sector are DoppelPaymer ransomware and Clop ransomware, both of which are linked to Russia,” he said

Edward Amoroso is CEO of TAG Cyber, a cyber security research analyst firm. He noted that the “vulnerabilities of enterprises to attacks is ever-expanding, and cyber criminals will always be one step ahead.

“I expect targeted ransomware attacks to continue due to their simplicity. However, these attacks pale in comparison to the severe attacks that could occur if companies lack critical infrastructure and experienced [and] capable chief information security officers to address known and unknown risk factors,” he said.

5/9/21 - The story was updated to include additional analysis.