Colonial Pipeline 1 Year Later: What Has Yet to Change?

The incident was a devastating attack, but it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed.

The Colonial Pipeline ransomware attack that took place exactly one year ago sent shockwaves across the nation that are still being felt today. A cyberattack with such massive real-world implications had never been seen before, let alone an attack on one of the largest critical infrastructure assets in the US that was initially started via an exposed virtual private network (VPN) password. During the attack, threat actors stole nearly 100GB of data, and not long after, the Colonial Pipeline took its systems offline for several days to prevent the further spread of ransomware. The Colonial Pipeline’s shutdown affected oil and fuel supplies in many states, and as a result, the US government declared a state of emergency.

Critical infrastructure, such as the infrastructure technology and operational technology systems managed by Colonial Pipeline, is often a prime target for cybercriminals. These national assets not only store highly valuable government, company, and consumer data in their systems but could also dramatically disrupt society if compromised. The fact that the Colonial Pipeline attack was due to a security lapse served as a wake-up call for companies all over the world to rethink their cybersecurity postures.

In the wake of the attack, President Biden immediately signed an Executive Order on "Improving the Nation’s Cybersecurity," which emphasized that incremental improvements are not enough; bold change and significant investments in cybersecurity must be made to defend critical infrastructure. Federal agencies and organizations were provided with a timeline and steps to advance their cybersecurity strategies and infrastructure. However, in the months following Colonial Pipeline, the US also witnessed several other critical incidents that made national headlines, including the Kaseya ransomware attack and the discovery of the Log4j vulnerability that was baked within the foundations of the world’s software applications. Thus, it is evident that many true changes have yet to be made. Let’s take a deeper look at the developments organizations must make to their cybersecurity postures to protect the nation’s critical infrastructure.

Further Visibility into Business-Critical Applications is Crucial
Recent legislation, such as the Cybersecurity Executive Order and Cyber Incident Reporting for Critical Infrastructure Act, mark improvements for the nation’s cybersecurity landscape, as they impose specific regulatory requirements and provide further transparency into organizations’ cyber events. Despite these developments, many organizations responsible for the nation’s critical infrastructure are still operating without visibility into their business-critical applications’ security, as demonstrated by the influx of attacks that succeeded the Colonial Pipeline. Organizations must understand that systems, such as enterprise resource planning (ERP), supply chain management, and logistics management, are interconnected and support mission-critical operations that can be severely disrupted if they are compromised by adversaries. A universal shift in enterprise cybersecurity strategies is crucial to ensure organizations can swiftly recover from a cyberattack as detrimental as the Colonial Pipeline one.

Taking Actions to Defend the Nation’s Critical Systems
Without stronger security controls, business-critical systems will remain vulnerable to attack. Proper defenses need to be in place to ensure America’s valuable data is protected. Below are several actions organizations must take to protect their sanctioned resources:

  • Obtain visibility into critical assets: Enterprises must gain full visibility into all critical and connected systems to eliminate any system blind spots. By obtaining a comprehensive view of the IT and OT systems, organizations can discover internal and external threats and assess their impact in real time.
  • Implement vulnerability management tools: As vulnerabilities are an easy point of entry into business-critical assets, organizations should incorporate advanced vulnerability management into their cybersecurity posture that includes automated tools that can scan for system weaknesses. Automated vulnerability management technologies identify where misconfigurations, authorization issues, and missing patches exist, and automatically apply the necessary mitigations.
  • Adopt cybersecurity best practices: Improving threat detection and response can help close many gaps that exist in cybersecurity postures; however, adopting cybersecurity best practices is absolutely essential to mitigate unauthorized access to privileged accounts. Enterprises must ensure their employees are cognizant of all threats they may face in their day-to-day operations, such as highly targeted phishing schemes.

While the Colonial Pipeline incident was a devastating attack, it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed. Enterprises that make active efforts to strengthen their cybersecurity strategies will be able to proactively mitigate threats as they arise, exceed regulatory compliance requirements, and ultimately foster trust with their employees, customers, and the community as a whole. Moving beyond Colonial Pipeline is possible but cannot be done without real improvement in cybersecurity defenses.