Colonial Pipeline Anniversary: How have organizations improved their IT infrastructure?
A cyberattack in mid-May crippled Colonial Pipeline, one of the largest US oil pipeline operators – Copyright AFP/File Logan Cyrus
On May 8, 2021, U.S. Colonial Pipeline ceased operations due to a ransomware cyberattack, resulting in a rarely issued emergency declaration by the US federal government. A year later, what have companies learned from the incident?
Following the attack, cyber experts have urged businesses and organizations strengthen their cybersecurity policies, procedures, staffing and resources. What progress has been made?
To learn more about the legacy of the year-long cyberattack, Digital diary contacted Benny Czarny, founder and CEO of OPSWATthe leader in critical infrastructure protection, as an expert resource.
Czarny has over 25 years of experience in cybersecurity and privacy, which has given him unique insight into attacking the Colonial Pipeline, particularly with increasingly frequent cyberattacks on critical infrastructure. .
According to Czarny, the key lessons are: “One of the key lessons organizations have learned is the need for a managed Security Operations Center (SOC): that is, operationalizing the response to ransomware and professional response teams and services”.
These lessons are:
An example in the critical infrastructure space is the managed operational technology (OT) SOC. This means better performance monitoring of all systems, applying standard change management processes, checking and deploying updates, and reacting immediately to any potential threats.
Organizations have also learned the need to protect their critical environments, especially with recent news of OT-specific malware (Pipedream/Industroyer2) and the Shields Ups warning. Protection includes adapting a defense-in-depth approach, with end-to-end security measures from the cloud to the protection of critical operational assets. The revised TSA Pipeline Security Directive establishes a clear separation between IT and OT, with enhanced security measures, contingency plans, and recovery plans for the OT environment. Essentially, an IT environment incident is virtually unavoidable, but unlike Colonial Pipeline incidents, OT operations should not be affected or shut down.
Organizations have also learned the need to assess both livelihood and financial risks. From a livelihoods perspective, critical organizations now understand both cyber and physical risks, including prioritization of risk areas, asset management and attack containment through more aggressive segmentation critical data.
From a financial risk perspective, the Colonial Pipeline and other critical infrastructure attacks have taught organizations NOT to pay. There is no guarantee that they will regain access or that the data has not already been leaked or stolen. The payment also bolsters future, more sophisticated attacks, and it could be a violation of US sanctions.
Some believe ransomware as a service has diminished and mature attack groups are bringing their expertise in-house. This means that higher quality and more targeted ransomware will potentially be harder to detect and fix. Maybe there will be fewer attacks, but they might be more damaging and harder to recover from.
In summary, Czarny finds: “Finally, some security researchers believe that the ransomware group REvil (or another closely related to REvil) is working on a new ransomware operation, asking the question: is there a risk of ‘copying’ attacks with the one-year deadline? upcoming anniversary? The main concern is the growing aggressiveness of hacking groups because of increased law enforcement, especially with the high ‘ROI’ for attacks on critical infrastructure.”