Colonial Pipeline Attack: The Pearl Harbor File
Colonial Pipeline outside Birmingham Alabama. Photo by chapstickaddict via Flickr (CC BY-NC-ND 2.0)
When the Colonial Pipeline attack occurred and I wrote my first article about it, a 22 year old conversation I had about cybersecurity came to mind. “I’ll bet” I thought, “the security person they will crucify for this Colonial Pipeline attack has a Pearl Harbor File, and I am dying to see them drag it out.”
And now it has. My prescience was rewarded.
Only moments after finishing this article, the AP published a news item where a contractor who performed a 2018 audit of Colonial Pipeline pulled out his copy of the report which cited cybersecurity lapses (among others) he had identified. What I call in the cybersecurity business “the Pearl Harbor File.”
An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.
“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”
On the heels of the ransomware attack on the Colonial Pipeline, it’s a good time to review the bidding on how this happened. Rather than jump into the technical minutiae of the Colonial Pipeline attack for our amusement, I’ll simply quote a trusted colleague and InfoSec consultant known in the Twitterverse as @th3v0t4ry. As technical details emerged, he tweeted:
“It wasn’t Ocean’s Eleven.
Someone was walking around at night in a bad neighborhood with a bag with a huge dollar symbol painted on it, got robbed by a 12 year old with a stolen .22lr pistol.”
That sums it up nicely.
When I see incidents such as the Colonial Pipeline attack and delve into the how-it-happened aspects, I am never surprised to learn the victim was bitten by a well-known vulnerability, likely one that’s been identified and published for years. I wrote up a conversation I once had with a physical security manager waaaaay back in 1999. Here is the exchange:
“Early in my career [said the physical security manager].I was responsible for the physical security for a small group of government buildings. When I took over the job from a retiring civil servant, I had to reassess the security measures currently in place and make recommendations for security enhancements and other improvements. Any time the building managers would propose changes or additions to the buildings, they had to seek my input and approval for any necessary security enhancements. I also had to justify all the current and projected costs for security including salaries for guards, fences, lights, and anything else in the security budget.
“As my job responsibilities slowly grew, the government housed more people and more expensive equipment in the buildings. Of course, newer and better security equipment was being developed and the government security requirements evolved as well. In addition, the area around the buildings became a little more threatening. When I felt it was necessary, I would approach the facility director with a proposal to purchase newer security technologies such as cipher locks, surveillance cameras, and extra lighting. Each time he would ask me to write up a lengthy report to justify the expenditure so he could disapprove it.”
“You just said, ‘…so he could disapprove it,’” I interrupted. “Surely he didn’t always disapprove your proposals?”
“Of course, he always disapproved them. In bureaucratic circles, you open yourself up to criticism from your seniors for approving new spending projects, and God forbid you ever exceed your budget. If he approved or endorsed any new spending project not specifically directed by our agency heads, he became vulnerable. However, he never heard a peep from the headquarters if he simply disapproved the proposal at his level. And when it comes to security, it can be difficult to justify the expenditures because more often than not, you are spending money to guard against something that may never happen. However, I didn’t get discouraged. I always did a thorough job writing up the proposal and kept them in a file.”
“That makes sense; but what would happen if a security breach did occur — like equipment theft or a parking lot mugging after you had proposed something which could have prevented it?” I urged.
“There you have it!” he exclaimed. “That’s his Pearl Harbor — the unexpected attack! When a security violation resulted in a loss, we would resolve the problem and then have a postmortem meeting about it. For that interview, I would dig out a couple relevant proposals I had made over the preceding years and finally win approval for some needed enhancements.”
“Did he approve all of them?” I asked.
“Of course not. But I was usually able to push through some of the more urgent upgrades. It happened enough that I just started calling this my Pearl Harbor file.” His voice softened, then he asked, “You’re a consultant in the network security business. Don’t you recommend a Pearl Harbor file for your clients?”
Remember, this was a conversation from 22 years ago. Nothing really changes in the business of risk management.
I know the concept of this, but I love the name “Pearl Harbor file”.
And as you allude to, things don’t work much differently in the private sector as they do in government, as regards security, anyway.
What people are asking themselves today is how many of those enhancements could they have bought for the 5 million bucks they are reported to have paid the hackers?Report
I never called it a “Pearl Harbor file”, but yeah, I had a folder of such emails. My director was actually pretty good about approving such things, but she told me to keep that folder for the times she couldn’t approve things, or get approval, just as a professional CYA. Part of the reason I was hired for that role was that my predecessor was so bad and disorganized that the facilities were a constant mess of security holes and compromised machines.Report
See also this piece by Marcus Ranum:
https://freethoughtblogs.com/stderr/2021/05/12/the-ransomware-hack/Report
I call this the “offensive lineman problem”: you only get noticed when you fail to block someone.Report
“a patchwork of poorly connected and secured systems,”
That is, business as usual for any organization that doesn’t take security seriously.Report
Security costs money. Nobody pays for it until they’re burned, and even then they stop paying as soon as the pain fades.
I’ve been agitating for 10 years to update some encryption some of our files use. I can’t even get it done for the one that’s a simple case (the only software that needs to read it is OUR software — our production client and an internal tool we built), so it’s just a matter of replacing the current methods with a specialized encrypt/decrypt function. It’s sadly not totally plug and play, but we’re talking three weeks work and no costs beyond labor.
Bottom of the priority list.Report
Equifax is a perfect example of that mind-set.
https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.htmlReport
“Security costs money. Nobody pays for it until they’re burned, and even then they stop paying as soon as the pain fades.”
Same for PPE, ICU space, ventilators, etc.Report
“Can’t they just use blockchain?” (she says with a sly smile as she slips out of the room).Report
Troublemaker…Report
Can you explain blockchain to someone who is real dumb with this stuff?Report
https://medium.com/swlh/blockchain-for-dummies-d3daf2170068Report
I think I’m more confused!Report
me too. Plain language training for the cyber security folks is as much of a necessity as it is for us oceanography types.Report
I think of blockchain like a ships log. In the Navy, a ships log is a legal document, thus it is immutable, it can be added to, but older information can not be altered*. Whatever is written to the log stays in the log forever. Now with pen and paper, that’s pretty obvious, you’d have to do a lot of work to alter a paper log such that no one would notice it’s been altered. Digital files are a bit easier to modify.
So digital files include hashes. A hash is just a number (alphanumeric) that is unique to the file. In the case of blockchain, it’s a cryptographic hash that uses information from the contents of the file and the system to generate the hash. The crypto algorithm that generates the hash decides what information is used to generate the hash, and often that algorithm will use stuff like time/date stamps, CPU serial number, etc., so it’s very unique. And the algorithm is one-way, which means you can generate the hash, but you can’t input the hash into the same algorithm to and get back the information used to create it.
Blockchain, being a log of transactions, computes a hash every time the log is added to, and it uses the previous hash as an input to the new hash, so if a previous hash changes, the next hash won’t match. Now, obviously, you need a way to verify the hash is accurate, and that is where the distributed, peer to peer nature of the blockchain comes into play.
Blockchain is pretty much useless for a single user. You need a network of users to employ it. Because everybody on the network has access to the log, and a copy of it. If you add a transaction to the log, everybody else on the network looks at the transaction and the hash, and if they find it meets the criteria of a valid transaction, they update their copies. Thus if someone edits the log and creates an invalid hash, they have to also convince the rest of the network that the edit is legit. And that, my friend, is no small task.
*Technically, you can change the log, by putting a single strike through the incorrect part (so it is still legible), add your initials, and appending the correct information. You can not erase/delete things.Report
I think of blockchain like a ships log. In the Navy, a ships log is a legal document, thus it is immutable, it can be added to, but older information can not be altered*. Whatever is written to the log stays in the log forever. Now with pen and paper, that’s pretty obvious, you’d have to do a lot of work to alter a paper log such that no one would notice it’s been altered. Digital files are a bit easier to modify.
Ah, like lab notebooks only more so. (Lab notebooks are not considered legal documents, but are often important in IP court cases.) Blockchain is showing up in some electronic lab notebooks (ELNs). One of the problems it’s supposed to solve is inadvertent modification, which has always been a problem in ELNs.Report
To be clear, I was joking. Blockchain is not relevant to this event.Report
Ha! See how dumb I am? I didn’t even know it wasn’t relevant. Well played… :-pReport
The joke is that Blockchain is often suggested as a solution for every computer security issue (e.g voting machines) by people who know nothing about either one, and it rarely would help and is often wildly inappropriate.Report
Just off the top of my head (& I am not thinking too deeply about this), at best blockchain could be used as a tripwire for an intrusion.Report
Blockchain is someone’s cool idea desperately seeking an application. And which was seized upon by people who don’t understand what a ‘currency’ is, but are prone to some weird beliefs about it anyways. And so they used blockchain to create a speculative “currency” that has few of the features people want in a currency, and plenty of features people don’t.
As to what it is — it’s basically a decentralized transaction setup. Everyone can check everyone else’s work, and basically “verify” transactions/changes/etc without referring to a central authority.
Imagine if, instead of a bank ledger, every time you moved money into your bank account every member of the bank scrutinized the transaction, verified the incoming money was legit, the account was legit, the math was legit, and then once enough of them had “proved” that money really existed, really entered your account, and really changed your balance — everyone else just agreed and got an updated copy of your balance.
All of this done using fun mathematical techniques designed to prevent people from lying about it, because if they lied the math wouldn’t work out.
if this sounds like it would take a lot of time and energy to do something as simple as “my paycheck was deposited, what’s my new balance”, congratulations, that’s problem 1 with blockchain as a ‘currency’.Report
To be honest, the transactional nature of blockchain is very much like modern financial transactions. When I get paid, my employer doesn’t send over a stack of paper money to my bank, and the banks don’t actually ship each other stacks of money when transfers happen. It’s all just numbers and trust. We trust that my employers bank will debit the value of my paycheck from their account, and we trust that my bank will credit that amount to my account.
Blockchain just deals with the trust question in a different way.Report
Not really. Your banks ledgers are centralized authorities, and they themselves have their own centralized authorities. And so they can do trusted transactions between themselves to keep their ledgers right.
So yes Bank B gets a deposit and verifies that Bank A actually debited the money and sent it to Bank B, then finalizes the deposit. Both banks update their ledgers.
Blockchain effectively polls every bank in the world, waits until a majority say “Oh yeah, we’re totally good with that” and then everyone updates their copies of the bank ledger at once. Which can take days.
And what’s it get you? Well I mean you don’t have to trust the bank to keep an accurate ledger, and…that’s it.
For days of processing time and enough power to cover Argentina.Report
Aside from the power question, I’m not seeing where we disagree? I wasn’t trying to suggest that blockchain is a better answer to the question of trust, only a different one.
(The power/CPU time is for mining, not polling/updating)Report
Probably nowhere.
But no, not just mining. (https://www.blockchain.com/charts/avg-confirmation-time)
Running around 2.5k MINUTES. About a day and a half.
Because “mining” a bitcoin is effectively mining the transaction log. Each transaction goes into a block, and there’s only so many that can go INTO a block, and then you can’t process anymore transactions until that block is mined.
Once that happens (it’s supposed to be about every 10 minutes), then a new set of transactions goes into the new block (once everyone has confirmed and authenticated the new block), and the process continues.
And there is literally no way to speed it up, because the time to mine a block is fixed (specifically, even if you have faster hardware the problem being mined is simply made more complex to keep it to roughly ten minutes per block).
If we all adopted bitcoin, it’d take WEEKS to process buying a friking Pepsi.Report
I get why PoW was used for BitCoin, but they really need to do something about that, it’s not sustainable.
Median confirmation is about 7 minutes right now, so not terrible, but still kinda slow for currency. Visa manages to run my OJ purchase in less than 10 seconds.
Anyway, blockchain as currency… I’m not certain it can’t work as one, but I’m also not awash with ideas as to how to overcome the problems that exist. I also don’t care enough to think that hard about it, I have other things I need to be concerned with.Report
I don’t think we really disagree.
The average bitcoin transaction uses up about 700kwhs in electricity. That’s, whoo, a lot.
Cryptocurrency isn’t sustainable in ANY form. It’s computationally inefficient by design. if you make it more efficient, the difficult of the process is increased.
it’s just a flat out stupid idea as a way to handle a currency. If you DON’T do that you either have a massively inflationary currency OR you give people no incentive to run the transactions, so you have no currency.
Someone literally just had a nifty algorithmic idea, then someone else said “Let’s make a currency out of it” because they couldn’t figure out anything else to do, and certainly as “computer people” they were much smarter than “economists”, what do those morons know, and it turned into a tulip bubble if the tulips were imaginary but took the energy budget of Argentina to make.
I mean after it was used to launder a lot of cash.
I don’t think you can effectively make an “efficient” cryptocurrency. It trailing along it’s work log and distributed, multiple ledgers and all that is inherent in the process.
I mean I guess you could ditch the coin entirely, use an efficient method, and just pay people to process the transactions, but then why not just rent a server farm and cut out the middle men? Oops, you’re back to a being bank again with a centralized ledger.Report
No, you get back here and suffer the hurled whiskey glasses like a big girl!Report
I certainly deserve it.Report
um, point of order – if you are going to hurl something, how about hurling something NOT important. Whiskey glasses function nicely for holding small batch bourbon. something that holds gin might be worth throwing however.Report
This subchain made my morning, I applaud all involved and especially Veronica.Report
A very interesting thread:
The part that has me speculating is this part:
If it is US Law Enforcement behind it, the question then becomes “why in the hell aren’t you doing anything about other such bad actors?!?!?”
So it’s in USG’s best interest to communicate that they can neither confirm nor deny that they did it.
But if it’s not USG, then we’re as boned as we were yesterday and the big guys out there have learned an important lesson about keeping low profiles.Report
Holy crap!
Report
Well that decision will be controversial.Report
It certainly changes the whole “hackers hacked the pipeline” narrative.Report
Oddly enough, I remember writing about the guy who took the blame for Pearl Harbor and why he was probably scapegoated, altough I don’t remember much about the story now:
https://ordinary-times.com/2016/11/02/book-review-a-matter-of-honor-harper-2016/
My experience with management is their job requires them to think about many things at the same time and you’re lucky if you can keep them thinking about one thing. Last week, I noticed that our large student union building has a COVID checkpoint so that all traffic comes in and out through one door. Good idea. Very necessary. So, I asked the person who decided upon this:
“Did you put signs on the other doors of this very large building? Because it seems like they have signs and they’re all locked….”
“We did both! They’re locked and there are signs!”
“Okay, well, I’m not a fire marshall, mind you, but….Report