8 Big Changes Expected After The Colonial Pipeline Hack: RSA 2021
From new disclosure rules to the hardening of critical infrastructure systems to retaliatory actions from the U.S. government, here are eight big changes expected after the Colonial Pipeline hack.
Ransomware Gone Awry
More than 10,000 gas stations had empty pumps after a Darkside ransomware attack against Alpharetta, Ga.-based Colonial Pipeline jeopardized fuel access for more than 50 million Americans. The May 8 hack forced Colonial to shut its 5,500-mile pipeline for five days, which people from Houston to New York City rely on to bring refined fuel products from the Gulf Coast to their homes or businesses.
Colonial reportedly paid a ransom of nearly $5 million to Darkside in a push to speed up the restoration process, but Darkside’s decryption tool was so slow that Colonial ended up using its own backups to restore its system, Bloomberg reported Thursday. This reportedly is one of the biggest ransomware payments ever made, exceeding the $2.3 million Travelex paid to Sodinokibi following a ransomware attack.
CRN spoke with eight prominent C-suite executives at RSA Conference 2021 about the long-term ramifications of this unprecedented ransomware attack. From new rules around information sharing and disclosure to the hardening of critical infrastructure systems to retaliatory actions from the U.S. government, here are eight big changes expected in the wake of the Colonial Pipeline hack.
Higher Expectations Around Disclosure
There’s going to be an expectation going forward that enough information is shared by cyberattack victims to benefit similarly situated organizations, according to Sophos CEO Kris Hagerman (pictured above). More disclosure allows the industry as a whole to be more aware of the cyberthreats out there as well as how to stay protected against exploits that are currently active in the wild, Hagerman said.
Victims need a mechanism to disclose in a private and confidential matter quickly and thoroughly what happened, why it happened and who the perpetrators are believed to be, according to Hagerman. There should be mandatory disclosure around incidents that rise to a certain magnitude or flip specific triggers, rather than allowing the organization to decide for itself whether or not it wishes to share.
In addition, Hagerman expects the current decentralized, laissez fare approach to cybersecurity regulations in the U.S. to be supplanted by something that requires endpoint protection, an active incident response plan and regular third-party testing. There will be a baseline set of security best practices that get rolled out by federal agencies to companies in the critical infrastructure space.
More Focus On Critical Infrastructure
Critical infrastructure hasn’t received enough focus and diligence from cyberdefenders, and IoT and OT networks remain vulnerable due to a lack of energy and thought around how they should best be protected, according to RSA Security CEO Rohit Ghai.
Dated technology is still being used in critical infrastructure environments that’s difficult to update, not the source of robust security updates and is refreshed far less frequently than the technology in the IT stack, Ghai said. “It’s high time we stop being surprised by critical infrastructure attacks and put some emphasis there too,” Ghai told CRN.
Protocols are quite different in critical infrastructure networks, which Ghai said makes it quite difficult to discern anomalous or malicious traffic without significant investment and focus. Hackers can also disrupt critical infrastructure though physical access to those systems and from there get their foot in the door to disrupt the cyber side of IT operations, according to Ghai.
Improve Information-Sharing Practices
The industry needs to find better ways to share cyberthreat information so that defenders can have a comprehensive view of the world and more effectively combat the threats they face, according to Barracuda President and CEO BJ Jenkins. Information, however, is a competitive weapon, and it’s therefore hard to get attack victims to share details that could be helpful to competitors, he said.
The government has an important role to play around coordination, standards and awareness, and Jenkins would like to see data-sharing standards as well as minimum requirements around for incident disclosure. Companies tend to be very parochial and have historically been too interested in protecting their brand or reputation rather than the security or privacy of their customers, according to Jenkins.
Information sharing today just takes way too long even though speed and coordination are needed when responding to a widespread incident like the Colonial Pipeline ransomware attack, Jenkins said. Improving processes and engagement around data sharing will help ensure that knowledge, fixes and remediation strategies quickly make their way to companies that could be targeted in the future.
Harden Critical Infrastructure Environment
There are so many different steps or processes that an organization can follow to harden their OT environment as much as they possibly can, according to Rob Cataldo, managing director of Kaspersky North America. Events like the Colonial Pipeline ransomware attack are an eye-opener for large critical infrastructure organizations that want to ensure their controllers are hardened as much as possible.
Organizations need to see their own security posture through the lens of an adversary by conducting security assessments and penetration tests against themselves, Cataldo said. Companies must examine their internal practices around governance as well as their internal tools to ensure they’re mitigating targeted threats going forward, according to Cataldo.
An in-house security operations team can provide organizations with the proper people, processes and internal tools to properly defend themselves and detect threats early, Cataldo said. Businesses trying to be economical can outsource security operations functions to an MSSP, which will be tasked with stopping the same events from happening time and time again, according to Cataldo.
Go On The Offense
The U.S. government is going to have to get much more engaged with the scourge of ransomware not just from a notification standpoint, but also as it relates to taking offensive action, according to SonicWall CEO Bill Conner. America needs to disrupt the digital supply chain of hackers to help protect the interest of businesses and avoid constantly being put in a defensive position, he said.
Russia and China have cyberoperators that work at arm’s length from the government to ensure both regimes always have plausible deniability, Conner said. Conversely, 95 percent of the U.S.’ cyberdefense is in the hands of the private sector with little help from the government, according to Conner.
The U.S. needs to invert its approach and bring its offensive capability to bear against the offensive capability of other cyberadversaries to blunt their firepower and give America’s cyberdefenders a chance to catch up, Conner said. America’s offensive cybersecurity capability is huge, and the country should utilize those assets more frequently, according to Conner.
Prioritize And Automate Patching
Customers want to be able to prioritize the patches that deliver the most value from a risk mitigation perspective and are looking for help triaging and fixing vulnerabilities rather than simply getting a list of issues, according to Qualys President and CEO Sumedh Thakar. The sooner an organization can bridge the gap and patch a vulnerability, the more quickly it can reduce its attack surface, Thakar said.
Certain patches are more helpful for fixing critical exploitable vulnerabilities, and prioritization work is therefore important to ensure that companies are getting the most bang for their buck, Thakar said. Attackers tend to push quickly after gaining entry into a victim to see what they can grab and strengthen their foothold in the organization, according to Thakar.
Most software can be patched automatically without adding significant risk since patches are typically safe, which in turn eliminates the need to patch systems manually, according to Thakar. But for more sensitive assets such as server software, Thakar said customers might want to have additional checks before applying the patches automatically.
Centralized Policymaking To Learn From Mistakes
The cybersecurity industry needs an organizing agency akin to the National Transportation Safety Board, said Cisco Security Chief Strategy Officer Dug Song. The drive to understand and analyze cyberattacks from a national security perspective is important and requires the right technology and policies, he said.
“In cybersecurity, we keep crashing the plane and saying, ‘Woe is me,’” Song told CRN. “We are the country at the most risk of digital disruption because we are the most advanced.” Song said the interdependence of our system and technology has left us exposed to random critical attackers who never wanted to get the attention of or be chased by the U.S. government.
A list of the materials used during the software build process should be readily available since—like an ingredient list for a food product—it allows the user to get a better sense of if there’s anything in there that could harm them, Song said. “Sometimes the dog does catch the car,” Song said. “We are all now targets of chance as much as targets of choice.”
Greater Focus From Boards, Regulators
Corporate boards and government regulatory agencies are really starting to pay attention to ensure that businesses under their jurisdiction have adequate practices in place to defend themselves, according to McAfee CTO Steve Grobman. Organizations are increasingly realizing that need to set aside enough money to bring in the right technology and people even if cybersecurity wasn’t a traditional priority.
The financial services and defense and industrial sectors figured out the importance of cybersecurity early on, Grobman said. And more recently, Grobman said businesses in other sectors have been upping their game as they’ve come to understand the impact an advanced cyberattack could have on their operations.
Defending organizations requires a combination of the right technology and the right people, and Grobman said McAfee has trained cyberoperators with the skills to go head-to-head against adversaries. There have been some good steps forward, but Grobman said the world still has a long way to go to deliver defense that’s consistent against high-quality adversaries.