The second anniversary of the Colonial Pipeline ransomware attack has come and gone, and while many lessons have been learned and assimilated, there’s still more we can do. Security Boulevard reached out to some experts in the industry to see how far we’ve come and where work still needs to be done.
For those in the energy sector, the challenge is remaining focused on updating your networks, both internal IT and OT networks, as well as your external supervisory control and data acquisition (SCADA) networks. Let’s dig in and review some of the other lessons learned from this devastating attack.
Supply chain security was one area that was pushed into the spotlight. “The period since Colonial [Pipeline] has given folks time to work through the scope of supply chain security,” said Christopher Blask, VP of strategy at Cybeats. “Good progress has been made in developing processes to track and appropriately communicate the composition and custody of software. Software bill of materials (SBOM) standards and requirements, as a key example, have become embedded in business processes across a range of sectors. Expect the same going forward as we further tighten the gaps that allowed incidents such as Colonial [Pipeline] to happen.”
The Biden administration brought an all-of-government approach to bear following the attack, convening a 30-nation virtual summit. In December 2022, the U.S. House of Representatives passed H.R.7777 – the Industrial Control Systems Cybersecurity Training Act, which is now in the hands of the Senate. And the Cybersecurity Infrastructure Security Agency (CISA) rolled out on-point advice for both the energy sector as well as companies large and small. Asaf Kochan, co-founder and president at Sentra, pointed out that cybersecurity has moved up the ladder to become an executive and board-level concern since the attack. “Ransomware went from being a criminal issue to a national security issue as evidenced by the Biden administration’s actions. Cybersecurity within companies moved from being a CISO/CSO issue to a board/CEO/COB issue, as cybersecurity is viewed more and more as a business enabler.”
“More awareness was generated around the convergence of operational technology (OT) networks and business/IT networks. This is a topic that has been discussed for a long time within the infosec community, but the Colonial Pipeline incident really proved the potential risks associated with converged OT/IT networks,” explained Kyle Wilhoit, director of threat research, Unit 42 at Palo Alto Networks.
The importance of having an incident response plan, including a public relations component, was also driven home, observed Simon Hunt, board advisor, National Cyber Group. “One of the stand-out lessons from the Colonial Pipeline attack was that reputational damage and the reactions from customers can be completely disproportionate to the actual cybersecurity impact. Colonial reminded us that customer reactions could be unpredictable and that even crisp and precise messaging can be misinterpreted, ignored or, worse, twisted beyond recognition. One lesson from Colonial is the importance of a mature and well-considered communication plan, which encompasses the opportunity for misunderstanding. Without such, communicating technical facts is unlikely to generate the desired customer response. ‘We know little, we are actively investigating, please bear with us’ is no longer sufficient,” Hunt said.
Similarly, the legal and cyberinsurance community stood up and took notice. Violet Sullivan, VP of client engagement for Redpoint cybersecurity and cybersecurity law adjunct professor for Baylor Law School, commented, “We have learned that blue-collar industries have more endpoints that are focused on ‘fast’ rather than ‘safe,’ and this remains as true today as it was in 2021.” In addition, the Colonial Pipeline attack shined the light on the IoT, and “IoT issues abound when tools are added and digitized without a cohesive structure, though we do see movement across the energy sector to adjust,” Sullivan said.
Both Sullivan and Kochan noted that many critical infrastructure networks consist of legacy equipment. Kochan highlighted how the NOTAM software update failure highlighted that the generational gap in advancement with technologies within government is systemic.
Lessons to Learn
“We still need to learn to collaborate and share more technical tactics, techniques and procedures,” Wilhoit said. He highlighted the work of the Biden administration and other countries in bringing forward public-private partnerships. He called out the Joint Ransomware Task Force and the Joint Cyber Defense Collaborative (JCDC) as examples of initiatives brought forth to address information sharing and collaboration. He also opined that the industry needs to “proactively examine critical infrastructure and how OT environments could cause national impact in the wake of an incident.”
Sullivan added that the energy sector is leaving themselves vulnerable without cyberinsurance, and while the Colonial Pipeline may have been the ‘morning alarm clock,’ it was not a sufficient wakeup call. “It’s likely that business interruption for oil and gas companies have many of the same ripple effects as contract disputes and litigation played out in the contract/property law space. Insurance-wise, I find that a lot of organizations in the utility industry don’t have cyberinsurance and don’t realize that most cybersecurity incidents will not be able to collect under a commercial general liability or property policy,” she said.
Wilhoit noted that ransom payments and whether or not to pay remains a topic of debate. “We still see many organizations paying the ransom. While I know some organizations must make this difficult decision based on the potential business risk, when we continue to pay ransomware actors, we propagate and facilitate these types of attacks. Organizations should dedicate budget, resources and employees to preparing for attacks like what we saw against Colonial [Pipeline].”
Event amnesia is alive and well in the world of cybersecurity, and the Colonial Pipeline incident is no exception. Wilhoit noted that, “So far, in 2023, Unit 42 Threat Researchers have already witnessed ransomware actors claim responsibility for impacting more than 1,250 organizations on ransomware leak sites alone. The sheer volume of compromises and daily reports tend to typically evaporate from memory quickly.” Kochan observed that we’re human, and we tend to forget and move on and that industry has “reverted to, ‘at the end of the day, were we up and running and generating revenue? Okay.’ But on a national level, the Biden administration isn’t and hasn’t forgotten—they have taken action and are taking actions to bring resources to the industry.”
Kochan added that since there has not been a move from legacy systems to a more secure environment like the cloud, unfortunately, it may take yet another event to incrementally move the industry forward.