If you don’t live in a cave — and since you’re reading this, we’re confident you don’t — you’ve heard of the Colonial Pipeline ransomware attack.
What you may not know is the extent to which AI-powered security solutions could have helped fend it off.
Let’s begin with a bit of background. This security breach, which the FBI tells us was orchestrated by a Russian criminal organization called DarkSide, is already being characterized as the “most significant successful attack on energy infrastructure we know of in the United States” by analysts, and for good reason.
Colonial Pipeline’s refined product pipeline, which runs some 5500 miles, is the source of almost half the fuel and gasoline used on the eastern seaboard of the continental United States. As a result of its critical infrastructure having been hacked, Colonial Pipeline was forced to shut down the pipeline in full, without warning or preparation of any kind, meaning hundreds of millions of gallons of fuel simply stopped flowing where it was needed.
The results have been both unfortunate and predictable. Though Colonial Pipeline committed to restoring service in a phased manner, many gas stations in multiple eastern states were nevertheless quickly depleted of fuel due to panic buying by consumers wary of a sustained outage. Gas prices hit a high not seen since 2014, and the governors of several states, including Florida, North Carolina, Georgia, and Virginia, subsequently declared a formal state of emergency.
Colonial Pipeline itself, meanwhile, has been conducting a rapid forensic analysis to determine the root cause of the problem, implement a fix, and to whatever extent it’s possible, preclude a future breach of comparable status and impact.
The challenge faced by Colonial Pipeline as it attempts to lock down its infrastructure is, of course, fairly common among organizations with a significant deployment of assets such as pumps, turbines, generators, and other operational hardware. Such assets are often unusually difficult to secure because of several factors:
- They rely on outdated versions of Windows or Linux that are no longer supported or updated by OS providers
- Due to the assets’ distributed nature, it’s difficult or impossible for the host organization to update them with newer operating systems and security patches and thus keep them security-current in the same way as the conventional IT infrastructure
- Some industrial assets lack conventional operating systems at all, and are instead managed via ARM-based microcontrollers that are even harder to update in a timely manner
- Most current security solutions aren’t designed to operate in such outdated environments and even if they’re deployed to industrial assets, they too will be difficult to update frequently, for the same reasons as the operating systems themselves
- Such solutions also do usually rely on frequent signature updates to recognize malware, and since they can’t easily be updated, they will soon be blind to newer attacks, and they will nearly always be blind to zero-day attacks such as the one that brought down the Colonial Pipeline
- Hackers, criminal organizations, and state-sponsored organizations are well aware of these factors, as well as the potentially devastating impact of a successful breach, and hence have sometimes made a special effort to target industrial assets of this type
Now, on this last point, the criminal group DarkSide has actually issued an apology of sorts to address the Colonial Pipeline situation.
It reads: “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences.”
That’s certainly polite phrasing, coming from such a source, but if organizations with industrial assets fail to feel very reassured, it will surprise no one.
All of which brings us to the pertinent question: Is there a fix?
While no security solution is perfect, and attacks continue to grow increasingly sophisticated, there are also increasingly sophisticated security solutions available. In one case, that solution is specifically designed exclusively to protect potentially vulnerable industrial assets and asset infrastructures.
That solution is SparkCognition’s DeepArmor Industrial® product. Like the rest of the DeepArmor product portfolio, the DeepArmor Industrial product does not rely on static signatures at all to recognize malware. Instead, it leverages cognitive models developed by us to analyze file types such as executables, scripts, DLLs, and documents to assess whether suspicious files are present, assess the rough threat level, and subsequently take action. This could mean notifying a security manager or operations center of the issue via one of several methods, interoperating with other security solutions to respond directly based on logical policies, or both.
Furthermore, the DeepArmor Industrial product — already very smart the first week it’s deployed — becomes increasingly smart over time. As our machine language models acquire more and more insight into emerging malware and how it manifests on a file level, they also become more and more effective at spotting a potential threat, and once deployed onto an asset, they deliver that same added intelligence to the asset. The primary difference compared to the expertise one might find in a human security analyst is that they can spot suspicious files far faster than a human analyst would.
The DeepArmor Industrial product also works very well with assets running outdated operating systems, whether they boast the latest security updates or not, and aren’t dependent on signature update files (as other security solutions are). If that weren’t enough, it even supports ARM-based microcontrollers, and thus helps protect assets that use no conventional operating system at all.
The result is that the DeepArmor Industrial product is simply the best available security solution for industrial assets of many types, spanning many industries. That’s not just our marketing position; it’s the objective conclusion emerging from many independent tests that, year after year, show that DeepArmor solutions do a better job at recognizing and handling zero-day attacks than any competing offering.
It’s also worth noting that the DeepArmor Industrial product is just one member of the larger DeepArmor product portfolio, that protects the complete infrastructure of organizations like Colonial, including both conventional IT assets and industrial assets (which both appear to have been involved in that attack).
If all this leaves you wondering the obvious question — whether the Colonial Pipeline breach would even have taken place, given protection by AI-powered security such as the DeepArmor product portfolio provides — you’re not alone. We’ve wondered the same thing.
What’s clear is that going forward, the value proposition for such solutions will look better and better — and so will the prospects of the companies that offer them.