It's been just over a year since the American public got a taste of what a cyber attack could do to their way of life. A ransomware sortie on Colonial Pipeline forced its owners to shut down operations and leave half the country's East Coast in a lurch for refined oil.
Since that time, efforts have aimed at making the nation's critical infrastructure more resilient and to counter the scourge of ransomware. The question is whether enough is being done fast enough.
"The attack on Colonial Pipeline was an eye-opener — not so much because of the risks about ransomware, but because of the threat landscape moving dangerously close to the critical infrastructure that underpins societies," said Gartner vice president, Katell Thielemann.
"On that front, it was a wake-up call that spurred all kinds of activities, from cyber security sprints in the electric utility sector led by the Department of Energy to security directives from the TSA to pipeline, rail, and airport operators, to a new law establishing upcoming mandates for incident reporting.
"The attack on the Colonial Pipeline was not so much a pivotal moment for ransomware attacks as it was a pivotal moment for the risks to critical infrastructure," Thielemann added.
Because of the Colonial Pipeline attack, many CISOs became aware of significant blind spots in their security operations centres (SOCs) because they weren't monitoring their operational technology (OT) networks.
"It also raised visibility for other mitigations, such as network segmentation, which MITRE ATT&CK categorises as essential to preventing access to safety-critical systems such as industrial control systems," said Phil Neray, vice president of cyber defence strategy at CardinalOps, a threat coverage optimisation company.
It was also pivotal because, unlike other headline-grabbing cyber security events, it affected the average person in the street.
"While it wasn't the first attack on critical infrastructure, Colonial Pipeline was the moment that resulted in a state of emergency, fuel shortages and panic buying behaviours," said Jasmine Henry, field security director for JupiterOne, a provider of cyber asset management and governance solutions.
Governments act against ransomware
The Colonial Pipeline event also spurred greater government activity aimed at protecting critical infrastructure around the globe.
"The silver lining of the Colonial Pipeline attack has been the increased involvement of law enforcement and the U.S. government in taking the fight to the attackers, helping to retrieve or freeze illicitly acquired cryptocurrencies, and collaborating internationally to arrest the ransomware actors," noted Jason Rebholz, CISO of Corvus Insurance, a risk management software solutions provider.
Another government reaction to the Colonial Pipeline attack was the Strengthening American Cybersecurity Act (SACA) passed earlier this year. It requires federal agencies and critical infrastructure owners and operators to report cyber attacks within 72 hours and ransomware payments within 24 hours.
"Transparency is one of the most overlooked aspects of security," explained Matt Chiodi, a former CSO at Palo Alto Networks now working on a cyber security start-up in stealth mode.
"Prior to SACA, critical infrastructure providers were not required to report cyber security incidents. This lack of transparency left many details of attacks and methods to be guessed at, which meant little learning for the industry. SACA changes that, and while its scope is limited to critical infrastructure, it will no doubt also positively impact other industries in the future."
SACA, though, has its skeptics. "The act is largely focused on reporting requirements, and insights on how to better prevent and mitigate threats are in short supply within the document," said Jori VanAntwerp, co-founder and CEO of SynSaber, a network monitoring solution company.
"One issue that comes up frequently in our conversations with critical infrastructure operators and asset owners is that they're wary of additional reporting requirements," VanAntwerp said. "In the past, there has been little to nothing done with the information that they have provided to government entities."
The European Union issued the Network and Information Systems Directive (NISD), which fines organisations for poor cyber security practices. Meanwhile, the UK’s National Cyber Strategy underscores increased levels of cyber resilience, in particular with critical national infrastructure (CNI).
Colonial Pipeline increased collaboration and information sharing
Ian Usher, deputy global practice lead for strategic threat intelligence at the NCC Group, a global cyber security consultancy, notes that the Colonial Pipeline attack has helped stimulate cross-industry partnerships to provide collective defence models to secure critical infrastructure.
Collaboration across sectors and operationally within the critical infrastructure community have supported small- to mid-sized business (SMBs) and organisations that lack the necessary security infrastructure, notably where organisations are target rich but cyber poor, he explained.
For example, consolidated information shared on platforms such as the Stop Ransomware website in the U.S. allows SMBs in critical infrastructure and other sectors to access key information around threats and mitigations.
The Colonial Pipeline attack has also raised employee awareness of ransomware. "Awareness of ransomware attacks is at an all-time high," Rebholz said, "but while awareness leads to increased knowledge of the impacts of ransomware events, it does not prevent them."
Usher added that across most organisations, there has been an increase in efforts to promote an awareness of the cyber threat landscape, the impact ransomware could have to them, and simple steps to identify and deal with potentially malicious emails. However, much of this good work was impacted by COVID and the rapid shift to adopt remote and hybrid ways of working.
"Removed from the corporate environment, employees have the potential to be more distracted and less security conscious, not to mention more inclined to use third-party applications to facilitate remote collaboration," Usher said.
"These factors greatly increase the cyber risk to organisations, and without proper training, remote workers are a perfect target for phishing scams, which has unsurprisingly seen an enormous increase since the lockdowns of 2020.
"I believe most people are more aware of threats. However, at best, four per cent will click on something they shouldn’t. Things are moving in the right direction, but attackers are very good at adjusting tactics," said Christopher Prewitt, CTO at MRK Technologies, a customised cyber security solutions and services provider.
Greater value on IT resilience
If the CP attack taught organisations anything, it's the value of resilience. "Ransomware attacks have highlighted the need for greater resilience in IT environments," Rebholz said. "Security is no longer about only keeping the bad actors out but must include building a malleable environment that can withstand attacks.
"This is especially important for critical infrastructure," Rebholz said, "since the impacts extend beyond monetary loss — a cyber attack can translate into chaos when essential services and goods are cut off from the larger population"
The cyber attack on Colonial Pipeline highlighted the fragility of our interconnected world and the consequences cyber attacks have on our daily lives, said Davis McCarthy, principal security researcher at Valtix, a provider of cloud native network security services.
"Whether it was the C-suite allocating funds for IT security, small businesses installing anti-virus, or the U.S. president signing executive orders to bolster critical infrastructure and combat cybercrime, the socioeconomic impact of the Colonial Pipeline attack was visible. The public perception of cyber security was no longer an annoying popup or lame toolbar."
"I anticipate that historians will look at Colonial Pipeline as one of the key incidents that shaped the course of cyber security," Henry added. "As with WannaCry, both resulted in greater awareness, since WannaCry revealed the destructive potential of cyber threats to business leaders, while Colonial Pipeline raised public awareness."