A cyberattack in mid-May paralysed Colonial Pipeline, one of the largest US oil pipeline operators – Copyright AFP/File Logan Cyrus
On May 8, 2021, U.S. Colonial Pipeline shut down its operations due to a ransomware cyberattack, leading to a rarely issued emergency declaration by the U.S. federal government. One year on, what have businesses learnt from the incident?
Following the attack, cyber experts urged companies and organizations to strengthen their cyber-related policies, procedures, staffing and resources. What progress has been made?
To understand more about the legacy of the cyberattack one year one, Digital Journal reached out toBenny Czarny, Founder and CEO of OPSWAT, the leader in critical infrastructure protection, as an expert resource.
Czarny holds over 25 years of experience in the cybersecurity and privacy space, giving him unique insights on the Colonial Pipeline attack, especially with increasingly frequent cyberattacks on critical infrastructure.
According to Czarny, the core lessons include: “A major lesson organizations have learned is the need for a managed Security Operation Center (SOC): that is, operationalization of ransomware response and professional response teams and services.”
These lessons are:
An example within the critical infrastructure space, is managed Operational Technology (OT) SOC. This means better performance monitoring of all systems, enforcing standard change management processes, vetting and deploying updates, and immediately reacting to any potential threats.
Organizations have also learned the need to safeguard their critical environments, especially with the recent news of OT-specific malware (Pipedream/Industroyer2) and Shields Ups warning. Safeguarding includes adapting a defense-in-depth approach, with end-to-end security measures from the cloud all the way down to protecting critical operational assets. The revised TSA pipeline security directive makes a clear separation between IT and OT, with enhanced security measures, disaster, and recovery plans for the OT environment. Essentially, an incident at the IT environment is virtually inevitable, but contrary to the Colonial Pipeline incidents – OT operations shouldn’t be impacted and shouldn’t be shut down.
Organizations have also learned the need to assess both livelihood and financial risks. From a livelihood perspective, critical organizations now understand both cyber and physical risks, including prioritization of risk areas, and asset management and containment of attacks through more aggressive segmentation of critical data.
From a financial risk perspective, Colonial Pipeline and other critical infrastructure attacks have taught organizations NOT to pay. There is no guarantee they will regain access or that data has not already been leaked or stolen. Payment also reinforces future and more sophisticated attacks—and it could be a US Sanctions Violation.
Some believe that ransomware-as-a-service has tapered off and mature attack groups are bringing expertise in-house. This means higher quality and more targeted ransomware will be potentially harder to detect and remediate. Perhaps there may be fewer attacks, but they could be more damaging and difficult to recover from.
Summing up, Czarny finds: “Lastly, some security researchers believe REvil ransomware group (or another closely tied to REvil) is working on a new ransomware operation, begging the question: Is there a risk of “copycat” attacks with the one-year anniversary coming up? The main concern is the increasing aggressiveness of hacking groups from increased crackdowns—especially with the high “ROI” for attacks on critical infrastructure.”