Cybersecurity experts have warned about vulnerabilities within the critical infrastructure for years. It came to fruition in May 2021, when Colonial Pipeline was hit with a ransomware attack. The response, of course, was the company temporarily shut down oil and gasoline delivery, which resulted in major panic and shortages all over the East Coast.
"The Colonial Pipeline attack was a major wake-up call to improve cyber defenses for critical infrastructure," says Tom Badders, senior product manager at Telos. "The attack vector for ransomware has typically been targeted to information technology networks. This was the first major attack on an operational technology network."
The attack brought much-needed attention to risks to the critical infrastructure and how something as simple as a stolen password can create a national nightmare. The immediate response was to come up with ways to prevent a similar attack (and there has not been one as of yet), but over the past year, have we really learned any lessons from Colonial Pipeline? Has anything changed in the way we think about protecting our systems, particularly critical infrastructure?
The Colonial Pipeline attack offered everyone, from government officials to ordinary citizens, a glimpse into what could happen and why it is vital to have a good security team with a solid mitigation plan in place, says Willy Leichter, CMO at LogicHub.
"In terms of wake-up calls, the Colonial Pipeline cyberattack was a good jolt of caffeine to the country," he says. "The Colonial security teams acted quickly, cautiously, and probably correctly to shut down the pipeline, although it took six days to get it back online."
But then the country hit the snooze button.
"Unfortunately, I think very little has changed," says Den Jones, CSO at Banyan Security.
Many companies still operate under the "it won't happen to me" assumption, Jones points out, and smaller organizations don't have the resources in place — or don't think they need them — to address a major cyber incident. When organizations do have security teams in place, they are spread thin.
"And perhaps worst of all," Jones adds, "organizations of all shapes and sizes haven't dramatically improved their basic security hygiene. This includes having sound, repeatable, audible processes for keeping systems patched and up to date, directory systems current, and making use of important tools like MFA. Remember, having a process doesn't mean it has to be complicated."
Some Progress Made
Little change isn't the same as no change, however. There have been signs of progress in the wake of the Colonial Pipeline attack.
"Government agencies have been more active in issuing security recommendations and creating much stricter rules about breach notification," says Leichter. Days after the ransomware attack was revealed, for example, the White House released an executive order requiring improvements to federal cybersecurity efforts. At the state level, more than 250 bills were introduced that deal directly with improving cybersecurity both overall and to directly protect government entities.
In addition, operational technology security services demand has doubled since Colonial Pipeline, according to Darren Van Booven, cyber advisory practice lead at Trustwave. The increase, he says, "has mostly been driven from the board and C-level as a direct response to Colonial Pipeline. Organization leaders are calling for security system audits and assessments, ransomware protection strategies, and detection and response capabilities for advanced threats, such as cybergangs."
Another positive to come from the Colonial Pipeline attack was the public/private partnership to get the pipeline back into operational mode quickly. That effort has continued to see positive steps forward with the Biden administration's prioritization of such cooperation, codified by the Cybersecurity and Infrastructure Security Agency (CISA) when it launched the Joint Cyber Defense Collective to coordinate government and industry response to cyberattacks.
"Eighty-five percent of the nation's critical infrastructure is managed by the private sector," says Telos' Badders. "These organizations need the support of the US government to defend the country's vital infrastructure."
The Bad Guys Are Learning, Too
One of the greatest challenges facing cybersecurity teams is the knowledge that threat actors have access to the same technologies and intelligence that they do.
"The Colonial Pipeline ransomware attack exposed weaknesses in the US's critical infrastructure," says Jason Rebholz, CISO at Corvus Insurance. "For nation-states such as Russia, it served as a case study on how a single cyberattack can cause devastating impacts and incite chaos. The significance of that knowledge, given the current geopolitical environment, is cause for concern."
The bad guys may also be learning another lesson: targeting US critical infrastructure was too risky.
"Following the Colonial Pipeline attack, the DarkSide ransomware infrastructure was shut down and a portion of the ransom payment paid in Bitcoin was actually recovered," Rebholz explains. "Ransomware actors saw that they could not operate without repercussions — a clear line in the sand had been drawn."
Where Do We Go From Here?
Colonial Pipeline's ransomware attack highlights the need for greater resilience in IT environments. "Security is no longer about only keeping the bad actors out but must include building a malleable environment that can withstand attacks," says Rebholz.
Moving forward in a post-Colonial Pipeline cyber environment, organizations are making adjustments. Cyber insurance carriers, for example, have implemented mandatory controls including, but not limited to, network segmentation and robust backup solutions, resulting in the number of ransomware claims requiring a ransom payment decreasing. And the concept of zero trust, with the US government's endorsement, is getting more attention as a security approach.
"This attack showed that perimeter security can be defeated with a single password," says LogicHub's Leichter. "We must have defense-in-depth that understands context [and] assumes that threats can come from anywhere, and security systems [that] have the ability to detect and respond to new attacks at any stage."