The need for increased cybersecurity automation for critical infrastructure is more important than ever.
They say those who don’t learn from history are fated to repeat it. One year after the Colonial Pipeline cyberattack, it is instructive to consider lessons learned and changes in the cybersecurity practices of critical infrastructure organizations.
On May 6, 2021, Colonial, the largest pipeline supplying oil to the Southeastern United States suffered a major cyberattack that led to a six-day shutdown of the pipeline, causing fuel shortages, lines at the pump and widespread hue and cry over the woeful state of cybersecurity of the US critical infrastructure. The FBI attributed the attack to a Russian hacking group called DarkSide.
In response to the Colonial breach, President Biden signed Executive Order 14028, requiring more stringent software security standards for sales to the US government, tightening cyberattack detection requirements, and mandating new requirements for improved information sharing and training. The order also established a Cyber Safety Review Board, and the US Department of Justice convened a cybersecurity task force to increase prosecutions. All these steps were supposed to improve the cybersecurity posture of American critical infrastructure sharply.
Now, following the Russian invasion of Ukraine, the U.S. government has issued a “Shields Up” warning, saying critical infrastructure operators and enterprises must prepare for cyberattacks by Russian actors. Officials are warning that Russia is actively attacking American critical infrastructure, including telecom base stations, oil pipelines and electric grids. If successful, these attacks would cause massive disruptions to the US economy.
Yet, many critical infrastructure companies remain laggards when it comes to their cybersecurity posture. For example, oil and gas companies still have immature cybersecurity programs. Looking down the barrel of a cyberwar, it is imperative that critical infrastructure companies properly invest in improving and modernizing their cybersecurity posture. Unfortunately, this is not easy. Like all organizations, critical infrastructure companies must deal with an exploding attack surface, a sprawl of ineffective cybersecurity tools that generate vast amounts of data with few actionable insights, and an acute shortage of skilled infosec professionals.
It is time to take a step back, and a deep breath. Here are four insights that may help critical infrastructure organizations protect themselves from becoming the next Colonial Pipeline.
1. Automate cybersecurity posture
Cybersecurity is no longer a human-scale problem. The attack surface has grown so quickly that even the most well-heeled infosec programs are not aware of all their vulnerable areas. Critical infrastructure companies should prioritize automating cybersecurity workflows in order to enable security teams with limited resources to keep up with the pace of required risk mitigation tasks. AI-powered automation can tackle routine tasks such as discovering, prioritizing and remediating known vulnerabilities, while human effort can be devoted to the more complex issues, like implementing zero-trust and adaptive passwordless authentication, against new or unconventional attacks.
2. Build a layered approach to security
This is not the “defense in depth” approach of yesteryear. In the face of nation-state actors, critical infrastructure companies can no longer rely on traditional firewalls and end-point security to solve cybersecurity problems. They need to turn our focus to automation and proactive cybersecurity protocols and rapidly implement additional security layers to keep threat actors at bay. For example, they need to monitor their security tools themselves to validate if they are properly deployed and configured. That includes identifying gaps in protection, such as parts of their enterprise software bill-of-materials that are not appropriately protected. As we saw with Colonial Pipeline, the failure to deploy these guardrails led to a devastating ransomware attack, resulting in a days-long shutdown and a $4.4 million ransom payout.
3. Remove or augment legacy tools
Critical infrastructure organizations must replace their legacy vulnerability scanning software and invest in modern tools that perform continuous vulnerability assessment and maximally automated mitigation. They must also stop relying on outdated endpoint and network technologies. As we saw in the Colonial Pipeline attack, an outdated VPN left the company vulnerable to nation-state attacks. If they can’t replace their tools for compliance and certification reasons, they should consider augmenting them. Otherwise, the status-quo will likely lead to a devastating situation for a lot of people.
4. Follow universal standards and benchmarks
Today, every critical infrastructure company has its own protocols for managing risk, many of which are outdated. Ensuring the security of critical infrastructure requires universal standards built on transparency, openness, and information sharing across industries and countries. Implementing modern security standards, such as requiring the use of automation, will force laggards, such as oil and gas companies, to address vulnerabilities in a manner commensurate with the threats they face today.
Recently, the US government has taken a step in the right direction, signing the Cyber Incident Reporting for Critical Infrastructure Act and increasing funding to CISA. Additionally, the SEC proposed amendments to cybersecurity regulations for all publicly-traded companies. The SEC proposal calls for increased cyber incident reporting and periodic updates about previous cyber incidents, including details about management and board of directors’ protocols around cyber risk.
Outside of the U.S., other countries are quickly implementing their own regulations. In March, Australia passed the Security Legislation Amendment (Critical Infrastructure Act) that calls for the improvement of risk management practices in Australia’s critical infrastructure sector, as well as increased transparency for the threats that these industries face. The legislation includes additional requirements for enhanced security for Australia’s most important critical infrastructure assets. Australia’s efforts to increase regulations within critical infrastructure are certainly setting an example for the world.
Cybersecurity is a constantly evolving situation, with new threats, vulnerabilities and back doors exposed almost daily. The cyberattack on Colonial Pipeline was a big lesson to governments and organizations that protecting the cybersecurity of our most critical infrastructure is of utmost importance to avoid significant economic disruption. To prevent history from repeating itself, it is imperative that critical infrastructure companies uplevel their protection against modern security risks by using modern techniques and automation. Automation is also the only way they will be able to comply with new cybersecurity regulations.