Editor's Note: ­This security-focused assessment is one of many such analyses found at Stratfor Threat Lens, a unique protective intelligence product designed with corporate security leaders in mind. Threat Lens enables industry professionals and organizations to anticipate, identify, measure and mitigate emerging threats to people, assets and intellectual property the world over. Threat Lens is the only unified solution that analyzes and forecasts security risk from a holistic perspective, bringing all the most relevant global insights into a single, interactive threat dashboard. 

This excerpt discusses the impact of the recent ransomware cyberattack on the Colonial Pipeline system, leading to it being shut down, and the rise of commercial-oriented ransomware groups. While the attackers appear to be a criminal group, it is still the most disruptive cyberattack on the U.S. energy sector and will bring more political pressure on President Joe Biden to expand his cybersecurity agenda and boost U.S. defenses against all cyberthreats. 

As of publication, the timetable for restarting the full pipeline is unclear. While the impact of a shutdown of the Colonial Pipeline system's main lines for a few days will only have a limited impact on regional gasoline, diesel and jet fuel prices, a longer lasting outage will have a more disruptive impact and could cause localized shortages and fears about scarcity along much of the U.S. East Coast. If the impact to U.S. fuel supplies becomes more acute, it will only increase pressure on the Biden administration to respond strongly.

The Colonial Pipeline cyberattack will reinforce the Biden administration's push for boosting U.S. cybersecurity defenses, but the rise of more professionalized ransomware groups and extortion campaigns will only lead to more cyberattacks on Western companies despite government policy. The Colonial Pipeline Co. shut down its pipeline system — the largest petroleum products pipeline servicing the eastern United States — on May 7 after learning its information technology systems suffered a cyberattack, the company said in a statement released on its website the following day.

• In a May 9 update, the company said the pipeline system's four main lines remained offline but it restored operations to some smaller pipelines delivering products from terminals along the main lines to delivery points.
• In response to the shutdown, the Department of Transportation declared an emergency in 17 states and the District of Columbia, and issued a waiver reducing fuel shipping requirements on tanker trucks.
• Colonial said in a May 10 update that segments are slowly being brought back online and that it had a goal of "substantially restoring operational service by the end of the week." In the meantime, localized shortages along the U.S. East Coast are possible, as is panic-buying over fears of a shortage.

The Eastern European criminal group DarkSide carried out the ransomware attack, disrupting the company's IT system, although not necessarily the pipeline systems' operational technology directly. Even though the attack does not appear to have targeted the pipeline's industrial control, such as SCADA, systems — which would have given hackers the ability to disrupt operations themselves — attacks on IT infrastructure frequently impact operations, as they can also disrupt invoicing, compliance reporting and other business-critical activities. 

• Bloomberg reported that hackers stole around 100 GB in two hours on May 6, locked computers, encrypted files and demanded payment. DarkSide then threatened to publicly release the stolen data if it was not paid, a so-called double extortion ransomware attack that the group is well-known for carrying out.
• It is publicly unknown whether the Colonial Pipeline Co. paid a ransom; the FBI recommends companies not divulge such information to avoid encouraging copycat ransoms.

Attack Will Spur Calls on Biden to Expand Cybersecurity Agenda 

The cyberattack is the most significant publicly known cyberattack on the U.S. energy sector, and exposes the vulnerability of U.S. critical infrastructure and U.S. companies to ransomware attacks, attacks the U.S. government is increasingly trying to combat. Ransomware attacks increased by 485% in 2020 compared to 2019, according to Bitdefender, a prominent Romanian cybersecurity company. While these statistics include individuals, not merely companies, they point to the generally increasing threat, no doubt in part to increased opportunities for attackers because of COVID-19. Work-from-home can often require the use of technologies like remote desktop protocols that hackers can exploit. According to Bitdefender, nearly two-thirds of attacks in 2020 took place in the first half of the year as people quickly moved to working remotely without having the same degree of cybersecurity protections and practices typically found in offices. As remote work is likely to remain far more common after the pandemic than before the pandemic, the remote access attack vector for hackers will remain attractive. 

• The U.S. Justice Department set up a task force in April to deal with the rising threat of ransomware. 
• In late April, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued its first two subpoenas under a January law allowing CISA to contact U.S. internet service providers in order to obtain a list of customers vulnerable to cyberattacks. 
• The Cybersecurity and Infrastructure Security Agency Act of 2018 created CISA with the explicit goal of boosting U.S. cybersecurity across the government and between the government and the private sector. 

The attack, the latest in a string of high-profile cyberattacks against the United States, will force the Biden administration to take more steps to strengthen U.S. cybersecurity defenses and implement reforms that reduce U.S. vulnerability. The Russia-linked SolarWinds and China-linked Microsoft Exchange hacks already resulted in significant political pressure on Biden. The Colonial Pipeline cyberattack — and particularly if it significantly disrupts U.S. gasoline, jet fuel and diesel distribution, thereby causing shortages — will only add more pressure. The Biden administration is working on an executive order expected to be released shortly aimed at strengthening U.S. cybersecurity defenses. 

• The current iteration of the executive order would set cybersecurity standards for the federal government and contractors that develop software, such as using multifactor authentication as a set standard. 
• The order would also require the federal government to implement a "zero trust" policy, where users in a network should not automatically trust information and other users already in the network and vendors would have to quickly report any vulnerabilities discovered in their software. 
• The government hopes that by setting the standards for government contractors, it can largely dictate broader standards and practices for software development due to the industry's dependence on government contracts and need to comply with them or risk being barred from lucrative contracts. 

The latest attack — and its more concrete, visible consequences — will lead to more pressure on the Biden administration to expand its current plans to boost cybersecurity defenses, which may not adequately address the threat demonstrated in the Colonial Pipeline attack. The current iteration of the executive order was written with the state-backed SolarWinds and Microsoft Exchange hacks in mind. Both previous attacks were, respectively, Russian- and Chinese-backed supply chain hacks of software that enabled hackers to target a wide range of exposed government agencies and private companies once the vulnerability was discovered — hence the executive order's current focus on software vendors. The exact attack vector of the Colonial Pipeline hack has not been made public and the vast majority of critical U.S. infrastructure — including the Colonial pipeline system — is privately owned and operated, meaning the draft executive order's new requirements for government contractors may not quickly affect private infrastructure operators like Colonial Pipeline.

• Even prior to the Colonial Pipeline attack, some had questioned the scope of the order and whether it was both broad enough to combat emerging cybersecurity threats and simultaneously narrow enough to avoid generating significant false alarms given its requirements on mandatory reporting. 
• Even though the attack does not appear to be state-sponsored, the incident will lead to more calls on responding to threats on critical infrastructure that China, Iran, North Korea and Russia pose.
• The New York Times reported May 9 that White House officials had set up meetings to discuss whether to strengthen or expand the executive order. The visible, real-world consequences of the attack may increase public pressure for more significant action than seen after previous cyberattacks