When Colonial Pipeline Co. was breached on April 29, the ramifications were wide-spread, causing fuel shortages across the East Coast and raising alarm bells for cybersecurity professionals. The root cause of the ransomware attack was a compromised password that has since been discovered within a list of leaked passwords on the dark web.

The cause of the attack should come as no surprise when considering that 81 percent of data breaches begin with a compromised password. In the weeks since the attack, much of the analysis has been centered around IT/OT security shortcomings and whether these vulnerabilities are indicative of a large industry-wide problem within critical infrastructure sectors. While this is important to examine, what is being overlooked is how much more difficult this attack would have been to carry out with enforceable breached password protection in place.

The attack sparked a new security directive with the Department of Homeland Security’s Transportation Security Administration on May 27, which requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Pipeline owners and operators are also required to review their current practices and identify any gaps.

While this directive may reduce risk, it’s most certainly not going to solve the problem.

Billions of breached passwords

There are billions of breached passwords available on the dark web, collected through previous attacks and then shared with other hackers. These leaked passwords are then used successfully in password spraying and credential stuffing attacks, due to the fact that 65 percent of users reuse passwords, according to a 2019 Google study.

Protecting against compromised passwords shouldn’t fall on the users who are not focused on cyber security, but on IT who is tasked with enforcing security. Critical infrastructure organizations need to ensure their IT solutions prevent these common password mistakes:

• Password reuse, specifically, reuse of compromised passwords
• Using very weak, easily guessable passwords such as, using the word password in their password or common keyboard patterns like qwerty or even passwords that are related to the organization including the organization’s name, location or other common identifiers
• Changing the passwords without changing the base word and adding sequential characters at the end (e.g. changing password1 to password12)
• Allowing unused accounts to remain active, essentially leaving an unchecked backdoor

The National Institute of Standards and Technology (NIST) outlines a standardized security approach for all critical infrastructure in the US. The NIST recommendations for password security include setting a minimum password length of 8 characters, screening new passwords against a list of known leaked/compromised passwords, and only then removing password expiration and complexity due to the fact that this contributes to poor password behavior.

Password solution requirements

When looking to implement a secure password policy, it’s important to consider the full lifecycle from password creation to reset. As well as meeting NIST requirements, solutions should:

• Eliminate the use of common password construction patterns
• Support user-oriented features, such as passphrases and length-based password aging which rewards users with less frequent password expiration due to the length and strength of their password
• Block the use of leaked passwords
• Protect password resets whether self-service or performed at the helpdesk with MFA and enforced end-user authentication
• Provide clear end-user messaging such as dynamic password rules feedback at password change
• Integrate smoothly with existing IT infrastructure, such as Active Directory.

Critical infrastructure, include the pipelines society relies so heavily on, will continue to be a high-profile target of cyber criminals. Addressing the root cause of these attacks can help protect the IT systems that keep society functioning. It’s time for the industry to put a progressive password security strategy in place.