How the Colonial Pipeline attack changed cybersecurity

It’s been just over a year since the American public got a taste of what a cyberattack could do to their way of life. A ransomware release on Colonial Pipeline has forced its owners to shut down operations and leave half of the country’s east coast in search of refined oil. Since then, efforts have focused on making the country’s critical infrastructure more resilient and countering the scourge of ransomware. The question is whether enough is being done fast enough.

“The attack on Colonial Pipeline was an eye opener, not so much because of the ransomware risks, but because of the threat landscape that comes perilously close to the critical infrastructure that underpins societies,” the statement said. Vice President of Gartner, analyst Katell Thielemann. “On that front, it was a wake-up call that spurred all sorts of activity, from Department of Energy-led electric utility cybersecurity sprints to TSA security guidelines. operators of pipelines, railroads and airports, to a new law setting forthcoming mandates for incident reporting.”

“The Colonial Pipeline attack was not so much a pivotal moment for ransomware attacks as it was a pivotal moment for critical infrastructure risks,” adds Thielemann.

Due to the Colonial Pipeline attack, many CISOs became aware of significant blind spots in their security operations centers (SOCs) due to not monitoring their operational technology (OT) networks. “It also increased visibility of other mitigation measures, such as network segmentation, which MITER ATT&CK considers essential to prevent access to safety-critical systems such as industrial control systems,” says Phil Neray, vice president of cyber defense strategy at CardinalOps, a threat coverage optimization company.

It was also crucial because, unlike other cybersecurity events that made headlines, it affected the average person on the street. “While not the first attack on critical infrastructure, Colonial Pipeline was the moment that led to a state of emergency, fuel shortages and panic buying behavior,” says Jasmine Henry, director of field security for JupiterOne, a cyber asset management provider. and governance solutions.

Governments act against ransomware

The Colonial Pipeline event also spurred greater government activity aimed at protecting critical infrastructure around the world. “The silver lining of the Colonial Pipeline attack has been the increased involvement of law enforcement and the U.S. government in fighting attackers, helping to recover or freeze illegally acquired cryptocurrencies, and collaborating internationally to stop ransomware actors,” says Jason Rebholz, CISO of Corvus Insurance, a provider of risk management software solutions.

Another government response to the Colonial Pipeline attack was the Strengthening American Cybersecurity Act (SACA) passed earlier this year. It requires federal agencies and critical infrastructure owners and operators to report cyberattacks within 72 hours and ransomware payments within 24 hours.

“Transparency is one of the most overlooked aspects of security,” says Matt Chiodi, a former Palo Alto Networks CSO who now works at a stealth-mode cybersecurity startup. “Before SACA, critical infrastructure providers were not required to report cybersecurity incidents. This lack of transparency left many details about attacks and methods guesswork, which meant little learning for the industry. SACA is changing that, and while its scope is limited to critical infrastructure, it will undoubtedly have a positive impact on other industries in the future.”

SACA, however, has its doubters. “The law is largely focused on reporting requirements, and information on how to better prevent and mitigate threats is sparse in the document,” says Jori VanAntwerp, co-founder and CEO of SynSaber, a solutions company network monitoring.

“An issue that comes up frequently in our conversations with critical infrastructure operators and asset owners is that they are wary of additional reporting requirements,” says VanAntwerp. “In the past, there has been little or nothing done with the information they provided to government entities.”

The European Union has issued the Network and Information Systems Directive (NISD), which fines organizations for poor cybersecurity practices. Meanwhile, the UK’s National Cyber ​​Strategy points to increased levels of cyber resilience, particularly with Critical National Infrastructures (CNIs).

Colonial Pipeline increased collaboration and information sharing

Ian Usher, deputy global head of strategic threat intelligence practice at the NCC Group, a global cybersecurity consultancy, notes that the Colonial Pipeline attack helped spur cross-industry partnerships to deliver defense models. collective to secure critical infrastructures.

Cross-industry and operational collaboration within the critical infrastructure community has supported small and medium-sized enterprises (SMBs) and organizations that lack the necessary security infrastructure, especially where organizations are targeted rich but cyber-poor, he explains. For example, consolidated information shared on platforms such as the Stop Ransomware website in the United States allows SMBs in critical infrastructure and other sectors to access key threat and mitigation information. .

The Colonial Pipeline attack also made employees aware of ransomware. “Awareness of ransomware attacks is at an all-time high,” says Rebholz, “but while awareness leads to greater knowledge of the impacts of ransomware events, it doesn’t prevent them.”

Usher adds that in most organizations, there has been an increase in efforts to promote awareness of the cyber threat landscape, the impact ransomware could have on them, and simple steps to identify and address e-threats. potentially malicious emails. However, much of this good work has been impacted by COVID and the rapid shift to adopting remote and hybrid working methods.

“Removed from the corporate environment, employees have the potential to be more distracted and less security-conscious, not to mention more inclined to use third-party apps to facilitate remote collaboration,” Usher says. “These factors dramatically increase cyber risk to organizations, and without proper training, remote workers are an ideal target for phishing scams, which unsurprisingly have seen a huge increase since the 2020 shutdowns.”

“I think most people are more aware of threats. However, at best, 4% of them will click on something they shouldn’t. Things are moving in the right direction, but attackers know very well adjust their tactics,” says Christopher Prewitt, chief technology officer at MRK Technologies, a provider of bespoke cybersecurity solutions and services.

Greater value on IT resiliency

If the CP attack has taught organizations anything, it’s the value of resilience. “Ransomware attacks have highlighted the need for greater resilience in IT environments,” says Rebholz. “Security is no longer just about keeping bad actors out, but must include creating a malleable environment that can withstand attacks.”

“This is particularly important for critical infrastructure,” says Rebholz, “since the impacts extend beyond monetary loss – a cyberattack can result in chaos when essential services and assets are cut off from all of population”.

The cyberattack on Colonial Pipeline highlighted the fragility of our interconnected world and the impact cyberattacks have on our daily lives, says Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services. “Whether it’s the executive suite allocating funds for IT security, small businesses installing antivirus, or the US President signing executive orders to bolster critical infrastructure and combat cybercrime, the socio-economic impact of the Colonial Pipeline attack was visible. The public’s perception of cybersecurity was no longer an annoying pop-up window or a lame toolbar.”

“I anticipate historians will regard Colonial Pipeline as one of the key incidents that shaped the course of cybersecurity,” Henry adds. “As with WannaCry, both drove greater awareness, as WannaCry exposed the destructive potential of cyber threats to business leaders, while Colonial Pipeline raised public awareness.”

Copyright © 2022 IDG Communications, Inc.

Previous The EU's strategic autonomy requires a new investment dynamic
Next Casey's General Stores Q4 earnings rise despite headwinds