September 21, 2021

Volume XI, Number 264


September 20, 2021

Subscribe to Latest Legal News and Analysis

Hack on American Colonial Pipeline Company Highlights the Vulnerability of Critical Infrastructure to Attack

On 7 May, the American Colonial Pipeline Company (Colonial Pipeline) network, which operates the largest fuel pipeline in the US, was shut-down by a cyber-attack for several days causing fuel shortages, the highest fuel prices in years and the declaration of a state of emergency in four US states.

The US reported that a Russia-based hacker group was responsible for the attack and since, a group of cybercriminals known as ‘DarkSide’ have taken responsibility for the attack which worked by gaining access and scrambling the data held on Colonial Pipeline’s network. President Joe Biden has released a statement that there was no evidence to indicate that the Russian government was behind the attack despite the attack’s source. DarkSide has also stated that it was motivated by profit and not any political motivation.

Colonial Pipeline has now restarted its operations after reportedly paying a $5 million US ransom to the hackers to regain control of its systems. The US FBI and the Australian Cyber Security Centre (ACSC) maintain that victims of ransomware should not pay cyber criminals; however, in cases like the Colonial Pipeline attack, the impact of the attack and the cost and time associated with rebuilding systems from scratch may arguably be too high not to pay. As the pipeline has historically made over $400,000,000 a year, the sum would be equal to less than a week’s losses.

More recently, another Russian-based cybercriminal group called Nobelium targeted over 150 organisations. It has been suggested that these attacks were a continuation of the attacks by Nobelium on SolarWinds which allowed the hackers to infiltrate US government department networks in 2020.

The Australian Signals Directorate (ASD) and the ACSC has also found an increase in the frequency of ransomware attacks on Australian organisations. The most targeted sectors include critical infrastructure sectors like health, state and territory governments, education and research, transport and retail.

Ransomware attacks are a risk that all organisations face and it’s far better to minimise vulnerabilities than to face the consequences of an attack. It’s clear from attacks like these that large privately and publically run critical infrastructure organisations are just as much at risk as others.

The ASD and ACSC have advised all the normal precautions like using multi-factor authentication, performing regular backups and turning on ransomware protection – but this isn’t always enough, so having robust incident and data breach response plan in place is a must! Whether or not you should pay a hacker’s ransom is debateable and there may be a number of legal, policy and commercial considerations to content with; however, in this case the hackers chose a sum that made it very easy for Colonial Pipeline to make that choice.

Copyright 2021 K & L GatesNational Law Review, Volume XI, Number 154

About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Warwick Andersen Technology Lawyer KL Gates

Mr. Andersen is a senior corporate lawyer with a focus on commercial, technology and sourcing projects. He has advised on large scale outsourcing projects, technology agreements for both vendors and customers, corporate support, privacy and telecommunications regulatory work. He has acted for government departments, large listed companies, telecommunications companies and technology suppliers.

Rob Pulham Corporate Attorney K&L Gates
Special Counsel

Rob Pulham is an experienced corporate advisory and transactional lawyer with an active technology and privacy practice representing companies in the energy, manufacturing, mining, retail, health and financial services sectors, as well as government and not for profit organisations. He has extensive experience advising customers and vendors in the technology industry, with particular focus on software licensing, data privacy and protection, and systems integration projects. In his role as a senior corporate lawyer, Mr. Pulham reviews organisational policies and practices...