12 months later, how the Colonial Pipeline attack changed cybersecurity

1 credit

It’s been just over a year since the American public got a taste of what a cyberattack could do to their way of life. A ransomware release on Colonial Pipeline forced its owners to shut down operations and leave half of the country’s east coast in search of refined oil.

Since then, efforts have focused on making the country’s critical infrastructure more resilient and countering the scourge of ransomware. The question is whether enough is being done fast enough.

“The attack on Colonial Pipeline was an eye opener – not so much because of the ransomware risks, but because of the threat landscape that comes perilously close to the critical infrastructure that underpins societies,” the vice said. – President of Gartner, Katell Thielemann.

“On that front, it was a wake-up call that spurred all sorts of activity, from Department of Energy-led electric utility cybersecurity sprints to TSA security guidelines. operators of pipelines, railroads and airports, to new legislation establishing future mandates for incident reporting.

“The Colonial Pipeline attack was not so much a pivotal moment for ransomware attacks as it was a pivotal moment for critical infrastructure risks,” Thielemann added.

Due to the Colonial Pipeline attack, many CISOs became aware of significant blind spots in their Security Operations Centers (SOCs) as they were not monitoring their Operational Technology (OT) networks.

“It also increased the visibility of other mitigation measures, such as network segmentation, which MITER ATT&CK considers essential to prevent access to safety-critical systems such as industrial control systems,” said Phil Neray, vice president of cyber defense strategy at CardinalOps, a threat. coverage optimization company.

It was also crucial because, unlike other cybersecurity events that made headlines, it affected the average person on the street.

“While not the first attack on critical infrastructure, Colonial Pipeline was the moment that led to a state of emergency, fuel shortages and panic buying behaviors,” said Jasmine Henry, Director of Field Security for JupiterOne, a cyber asset management provider. and governance solutions.

Governments act against ransomware

The Colonial Pipeline event also spurred greater government activity aimed at protecting critical infrastructure around the world.

“The silver lining of the Colonial Pipeline attack has been the increased involvement of law enforcement and the U.S. government in fighting attackers, helping to recover or freeze illegally acquired cryptocurrencies, and collaborating internationally to stop ransomware actors,” Jason noted. Rebholz, CISO of Corvus Insurance, a provider of risk management software solutions.

Another government response to the Colonial Pipeline attack was the Strengthening American Cybersecurity Act (SACA) passed earlier this year. It requires federal agencies and critical infrastructure owners and operators to report cyberattacks within 72 hours and ransomware payments within 24 hours.

“Transparency is one of the most overlooked aspects of security,” explained Matt Chiodi, a former Palo Alto Networks CSO who now works at a stealth-mode cybersecurity startup.

“Before SACA, critical infrastructure providers were not required to report cybersecurity incidents. This lack of transparency left many details about attacks and methods guesswork, which meant little learning for the industry. SACA is changing that, and while its scope is limited to critical infrastructure, it will undoubtedly have a positive impact on other industries in the future.”

SACA, however, has its doubters. “The law is largely focused on reporting requirements, and information on how to better prevent and mitigate threats is sparse in the document,” said Jori VanAntwerp, co-founder and CEO of SynSaber, a technology company. network monitoring solutions.

“An issue that comes up frequently in our conversations with critical infrastructure operators and asset owners is that they are wary of additional reporting requirements,” VanAntwerp said. “In the past, there has been little or nothing done with the information they provided to government entities.”

The European Union has issued the Network and Information Systems Directive (NISD), which fines organizations for poor cybersecurity practices. Meanwhile, the UK’s National Cyber ​​Strategy points to increased levels of cyber resilience, particularly with Critical National Infrastructures (CNIs).

Colonial Pipeline increased collaboration and information sharing

Ian Usher, deputy global head of strategic threat intelligence practice at NCC Group, a global cybersecurity consultancy, notes that the Colonial Pipeline attack helped spur cross-industry partnerships to deliver defense models. collective to secure critical infrastructures.

Cross-industry and operational collaboration within the critical infrastructure community has supported small and medium-sized enterprises (SMBs) and organizations that lack the necessary security infrastructure, especially where organizations are targeted rich but cyber poor, he explained.

For example, consolidated information shared on platforms such as the Stop Ransomware website in the United States allows SMBs in critical infrastructure and other sectors to access key threat and mitigation information. .

The Colonial Pipeline attack also made employees aware of ransomware. “Awareness of ransomware attacks is at an all-time high,” Rebholz said, “but while awareness leads to greater knowledge of the impacts of ransomware events, it doesn’t prevent them.”

Usher added that in most organizations, there has been an increase in efforts to promote awareness of the cyber threat landscape, the impact ransomware could have on them, and simple steps to identify and deal with threats. potentially malicious emails. However, much of this good work has been impacted by COVID and the rapid shift to adopting remote and hybrid working methods.

“Removed from the corporate environment, employees have the potential to be more distracted and less security-conscious, not to mention more inclined to use third-party apps to facilitate remote collaboration,” Usher said.

“These factors dramatically increase cyber risk to organizations, and without proper training, remote workers are an ideal target for phishing scams, which unsurprisingly have seen a huge increase since the 2020 shutdowns.

“I think most people are more aware of threats. However, at best, 4% of them will click on something they shouldn’t. Things are moving in the right direction, but attackers know very well adjust their tactics,” said Christopher Prewitt, CTO at MRK Technologies, a provider of bespoke cybersecurity solutions and services.

Greater value on IT resiliency

If the CP attack has taught organizations anything, it’s the value of resilience. “Ransomware attacks have highlighted the need for greater resilience in computing environments,” Rebholz said. “Security is no longer just about keeping bad actors out, but must include creating a malleable environment that can withstand attacks.

“This is especially important for critical infrastructure,” Rebholz said, “since the impacts go beyond monetary loss – a cyberattack can result in chaos when essential services and goods are cut off from the general population.” .

The cyberattack on Colonial Pipeline highlighted the fragility of our interconnected world and the impact cyberattacks have on our daily lives, said Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services.

“Whether it’s the executive suite allocating funds for IT security, small businesses installing antivirus, or the US President signing executive orders to bolster critical infrastructure and combat cybercrime, the socio-economic impact of the Colonial Pipeline attack was visible. The public’s perception of cybersecurity was no longer an annoying pop-up window or a lame toolbar.”

“I anticipate historians will regard Colonial Pipeline as one of the key incidents that shaped the course of cybersecurity,” Henry added. “As with WannaCry, both drove greater awareness, as WannaCry exposed the destructive potential of cyber threats to business leaders, while Colonial Pipeline raised public awareness.”

Join the newsletter!

Error: Please verify your email address.

Cybersecurity tagsColonial Pipeline

Source link