It’s been six months since the Colonial Pipeline ransomware attack in which hacking group DarkSide compromised the pipeline’s IT systems, forcing the company to halt operations to prevent the ransomware from spreading to the pipeline controls themselves. The attack instantly made the cybersecurity of critical infrastructure into a top corporate and national priority.
Since then, there’s been a slew of federal directives, guidelines, and mandates aimed at preventing Colonial 2.0, coupled with promises from companies in the critical infrastructure sector. We’ve seen an unprecedented amount of progress—from executive orders to cyber recruitment programs—but there’s still a long way to go. As such, here are three of the positive trends we’ve seen since the Colonial Pipeline attack:
Colonial brought to light just how vulnerable infrastructure environments and the equipment within them truly are. For companies using legacy technology, rapid digital transformation and increasing connectivity have exacerbated existing security concerns. While real-world operations may have been “air-gapped” in the past, this is no longer the case.
Furthermore, operational infrastructure still tends to lack the security controls required for protecting against and withstanding attacks on digital control systems. In remote work environments, traditional perimeter-based security strategies such as VPNs and firewalls are not sufficient (the Colonial attack was launched through a stale VPN account); traditional perimeter cybersecurity must get coupled with a zero-trust architecture that verifies and authorizes each access based on individual identities. This preventative strategy ensures that, even if hackers manage to break in, their access is siloed and operations are undisturbed. Because many real-world operations have historically lacked clear incentives or a sense of urgency to embrace this kind of best-in-class zero trust cybersecurity, there’s an urgent need for change.
The Colonial attack made it clear that real-world operations are continually under attack and that security must accordingly become a priority. Fortunately, we’ve since seen a shift from emphasizing merely the detection of attacks to blocking them at the source with zero-trust. Within the National Institute of Standards and Technology (NIST) zero-trust architecture framework, the “protection and response” category now gets more attention than the “identify and detect” category. Moreover, an upcoming version of an NIST framework will incorporate topics on zero-trust security for industrial control systems specifically.
Change requires more than a promise—it requires investment. The Colonial attack quickly spurred an unprecedented level of cybersecurity funding: the Biden administration’s infrastructure bill contains nearly $2 billion earmarked specifically for improving the nation’s cybersecurity posture. What’s more, Gartner predicts that worldwide security and risk management spending will exceed $150 billion in 2021—a 12.4% increase over 2020.
While an increase in federal funding and corporate investments represents a solid start, it must also extend to recruiting and training the cybersecurity workforce. Today, there are more than 460,000 unfilled cybersecurity jobs nationwide, illustrating the acute shortage of skilled professionals. These positions can become dangerous when left unfilled for too long; in fact, Colonial Pipeline was looking to fill two security leadership positions only weeks before the May ransomware attack. DHS recently announced the Cyber Talent Management System, which will streamline the application process for potential DHS Cybersecurity Service employees; this represents a step in the right direction.
It became clear since the Colonial attack that increased security regulations are overdue. Within the span of just a few months, we saw an Executive Order, two TSA Security Directives, and a National Security Memorandum that established the Industrial Control Systems Cybersecurity Initiative. Additional mandates in the future are likely; these could include annual audit programs, penalties for non-compliance, and certification programs.
For these regulations to have their desired impact, we need to have enhanced communications between the federal government and the private sector. In the aftermath of Colonial, and the wave of regulatory mandates that came soon after, there was confusion about the extent to which new requirements were required, and how soon—resulting in important and time-sensitive decisions being delayed. Going forward, clear cooperation and collaboration, resting on the shared understanding of the high stakes involved, will help ensure that future mandates are implemented effectively.
Six months ago, it was relatively common for the owners of real-world operations to believe that they’d never experience a cyberattack. Today, as ransomware attacks increase, that’s no longer a realistic mindset. The Colonial Pipeline attack was the world’s wake-up call. The industry needs to respond quickly enough so that similar attacks on critical infrastructure won’t happen again.
Duncan Greatwood, chief executive officer, Xage