The Colonial Pipeline ransomware attack, two years later.

Sunday marked the second anniversary of the Colonial Pipeline ransomware attack, and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a short statement on lessons learned from the ransomware attack. The general problem the attack exposed, as CISA frames it, is ransomware, and countering it requires effective, centralized information-sharing, interagency cooperation, and a robust public-private partnership.

Shields Up.

Russia’s war against Ukraine brought urgency to the US Government’s preparations for cyberattacks against critical infrastructure. That indeed is the threat that CISA’s Shield Up campaign has been designed to counter. CISA and its sister Homeland Security agency TSA (the Transportation Security Administration) also established close working relationships with over twenty-five major pipeline and industrial control systems organizations to strengthen the common defense. And CISA also received authority from Congress to expand the visibility and threat detection program it operates as CyberSentry.

Obviously, the statement says, work remains to be done, not only improving information-sharing and threat detection, but in assigning cybersecurity an appropriately high priority and aligning incentives in ways that promote security.

The reality of critical infrastructure protection.

Mike Hamilton, former CISO of Seattle and CISO of Critical Insight, sees the incident as the intrusion of the reality principle into critical infrastructure protection.

The biggest takeaway, or legacy for which these events will be remembered, is that for all the talk about the criticality of some sectors there had not been much guidance given on cybersecurity controls and resilience to those sectors. Only after we saw actual critical infrastructure be compromised and its effect on a good part of the US population that the federal government began to direct the sector specific agencies to be unambiguous about security – both in the form of guidance and incentives. Pipelines, healthcare, aviation, rail and water have all since received new marching orders and there will be more.

"Because of the extent of the disruption and the size of the population affected, the federal government reinvigorated the critical infrastructure protection ecosystem with an emphasis on cybersecurity controls. Sector-specific agencies (with the TSA being the SSA for pipelines), which adjudicate the security requirements for their respective sectors, were given clear instructions to communicate control requirements. Since the Colonial Pipeline incident, these instructions have been provided to rail, aviation, water, healthcare, and pipelines.

"The specific weakness exposed by the Colonial Pipeline attack is that the operators did not have good procedures for a cold start. Once Colonial shut down the pipeline operation out of an abundance of caution (only the administrative networks were affected by the ransomware) it took far too long to restart, which lengthened the existing fuel supply problem. This again is a resilience issue – you need to be able to take a punch and get off the mat before that 10-count is over.

"Monitoring operational networks has always been a challenge because of the non-IP protocols in use (e.g. MODBUS, DCOM, etc.) and the ability to perform this monitoring has improved through companies like Armis, Dragos, et al. Additionally, more are pivoting to managed monitoring and response services for a reliable and sustainable SOC operation for detection, investigation, response and recovery to cover 24/7 operations without competing for professional resources that are in short supply. 

"As most of the SSAs are recommending self-assessment and attestation against the NIST Cybersecurity Framework, these organizations should have no trouble as the CSF is outcome-based, rather than prescriptive. However, closing the control gaps identified by such an assessment, investment and resources are required and this will be more difficult, time-consuming, and expensive."

Segmentation, visibility, monitoring, and cooperation between IT and OT.

The incident began with an attack on business systems, yet this IT incident affected the operation of an industrial system. Jori VanAntwerp, CEO and Co-Founder of SynSaber, argues that important lessons should be drawn from Colonial Pipeline's experience:

"The Colonial Pipeline incident highlighted how vital segmentation, visibility, monitoring, and OT/IT collaboration are. The incident also reinforced that these pillars of OT security need to be considered not only in new environments, but also within existing infrastructure.

"I think it's important to understand that ransomware in OT environments is very different from IT. A critical question to ask is, what would be ransomed? The ladder logic on a PLC? Not to make light of the concern, as it can cause disruption, in most cases not to the extent that it does in IT, where critical data can be held for ransom. The major change in the last two years is that organizations now recognize the visibility gap and have identified some single points of failure, and are either architecting or deploying solutions to decrease that gap in their specific environments.

"With the proper level of segmentation, collaboration, and visibility/monitoring, those organizations can absolutely feel more confident about their ability to continue service and production while responding to an incident.

"Regulation is only one part of the solution, and unfortunately, it is only in the beginning stages. I believe that regulators are doing their best to address these concerns, but it will take time for organizations to comply with new regulations, especially in critical infrastructure. It's just too early in the journey to judge."