How the Colonial Pipeline attack has changed cybersecurity

On the one-year anniversary of the Colonial Pipeline attack, industry insiders reflect on the event's effect on cybersecurity practice and perception.

data pipeline primary
Thinkstock

It's been just over a year since the American public got a taste of what a cyberattack could do to their way of life. A ransomware sortie on Colonial Pipeline forced its owners to shut down operations and leave half the country's East Coast in a lurch for refined oil. Since that time, efforts have aimed at making the nation's critical infrastructure more resilient and to counter the scourge of ransomware. The question is whether enough is being done fast enough.

"The attack on Colonial Pipeline was an eye-opener—not so much because of the risks about ransomware, but because of the threat landscape moving dangerously close to the critical infrastructure that underpins societies," says Gartner Vice President, Analyst Katell Thielemann . "On that front, it was a wake-up call that spurred all kinds of activities, from cybersecurity sprints in the electric utility sector led by the Department of Energy to security directives from the TSA to pipeline, rail, and airport operators, to a new law establishing upcoming mandates for incident reporting."

"The attack on the Colonial Pipeline was not so much a pivotal moment for ransomware attacks as it was a pivotal moment for the risks to critical infrastructure," Thielemann adds.

Because of the Colonial Pipeline attack, many CISOs became aware of significant blind spots in their security operations centers (SOCs) because they weren't monitoring their operational technology (OT) networks. "It also raised visibility for other mitigations, such as network segmentation, which MITRE ATT&CK categorizes as essential to preventing access to safety-critical systems such as industrial control systems," says Phil Neray, vice president of cyber defense strategy at CardinalOps, a threat coverage optimization company.

It was also pivotal because, unlike other headline-grabbing cybersecurity events, it affected the average person in the street. "While it wasn't the first attack on critical infrastructure, Colonial Pipeline was the moment that resulted in a state of emergency, fuel shortages and panic buying behaviors," says Jasmine Henry, field security director for JupiterOne, a provider of cyber asset management and governance solutions.

Governments act against ransomware

The Colonial Pipeline event also spurred greater government activity aimed at protecting critical infrastructure around the globe. "The silver lining of the Colonial Pipeline attack has been the increased involvement of law enforcement and the U.S. government in taking the fight to the attackers, helping to retrieve or freeze illicitly acquired cryptocurrencies, and collaborating internationally to arrest the ransomware actors," says Jason Rebholz, CISO of Corvus Insurance, a risk management software solutions provider.

Another government reaction to the Colonial Pipeline attack was the Strengthening American Cybersecurity Act (SACA) passed earlier this year. It requires federal agencies and critical infrastructure owners and operators to report cyberattacks within 72 hours and ransomware payments within 24 hours.

"Transparency is one of the most overlooked aspects of security," explains Matt Chiodi, a former CSO at Palo Alto Networks now working on a cybersecurity startup in stealth mode. "Prior to SACA, critical infrastructure providers were not required to report cybersecurity incidents. This lack of transparency left many details of attacks and methods to be guessed at, which meant little learning for the industry. SACA changes that, and while its scope is limited to critical infrastructure, it will no doubt also positively impact other industries in the future."

SACA, though, has its skeptics. "The act is largely focused on reporting requirements, and insights on how to better prevent and mitigate threats are in short supply within the document," says Jori VanAntwerp, co-founder and CEO of SynSaber, a network monitoring solution company.

"One issue that comes up frequently in our conversations with critical infrastructure operators and asset owners is that they're wary of additional reporting requirements," VanAntwerp says. "In the past, there has been little to nothing done with the information that they have provided to government entities."

The European Union issued the Network and Information Systems Directive (NISD), which fines organizations for poor cybersecurity practices. Meanwhile, the UK’s National Cyber Strategy underscores increased levels of cyber resilience, in particular with critical national infrastructure (CNI).

Colonial Pipeline increased collaboration and information sharing

Ian Usher, deputy global practice lead for strategic threat intelligence at the NCC Group, a global cybersecurity consultancy, notes that the Colonial Pipeline attack has helped stimulate cross-industry partnerships to provide collective defense models to secure critical infrastructure.

Collaboration across sectors and operationally within the critical infrastructure community have supported small- to mid-sized business (SMBs) and organizations that lack the necessary security infrastructure, notably where organizations are target rich but cyber poor, he explains. For example, consolidated information shared on platforms such as the Stop Ransomware website in the U.S. allows SMBs in critical infrastructure and other sectors to access key information around threats and mitigations.

The Colonial Pipeline attack has also raised employee awareness of ransomware. "Awareness of ransomware attacks is at an all-time high," Rebholz says, "but while awareness leads to increased knowledge of the impacts of ransomware events, it does not prevent them."

Usher adds that across most organizations, there has been an increase in efforts to promote an awareness of the cyber threat landscape, the impact ransomware could have to them, and simple steps to identify and deal with potentially malicious emails. However, much of this good work was impacted by COVID and the rapid shift to adopt remote and hybrid ways of working.

"Removed from the corporate environment, employees have the potential to be more distracted and less security conscious, not to mention more inclined to use third-party applications to facilitate remote collaboration," Usher says. "These factors greatly increase the cyber risk to organizations, and without proper training, remote workers are a perfect target for phishing scams, which has unsurprisingly seen an enormous increase since the lockdowns of 2020."

"I believe most people are more aware of threats. However, at best, 4% will click on something they shouldn’t. Things are moving in the right direction, but attackers are very good at adjusting tactics," says Christopher Prewitt, chief technology officer at MRK Technologies, a customized cybersecurity solutions and services provider.

Greater value on IT resilience

If the CP attack taught organizations anything, it's the value of resilience. "Ransomware attacks have highlighted the need for greater resilience in IT environments," Rebholz says. "Security is no longer about only keeping the bad actors out but must include building a malleable environment that can withstand attacks."

"This is especially important for critical infrastructure," Rebholz says, "since the impacts extend beyond monetary loss — a cyberattack can translate into chaos when essential services and goods are cut off from the larger population"

The cyberattack on Colonial Pipeline highlighted the fragility of our interconnected world and the consequences cyberattacks have on our daily lives, says Davis McCarthy, principal security researcher at Valtix, a provider of cloud native network security services. "Whether it was the C-suite allocating funds for IT security, small businesses installing anti-virus, or the U.S. president signing executive orders to bolster critical infrastructure and combat cybercrime, the socioeconomic impact of the Colonial Pipeline attack was visible. The public perception of cybersecurity was no longer an annoying popup or lame toolbar."

"I anticipate that historians will look at Colonial Pipeline as one of the key incidents that shaped the course of cybersecurity," Henry adds. "As with WannaCry, both resulted in greater awareness, since WannaCry revealed the destructive potential of cyber threats to business leaders, while Colonial Pipeline raised public awareness."

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.