Petrol stations along the US's East Coast were running out of fuel this week as the nation's biggest petroleum pipeline scrambled to recover from a crippling ransomware attack -- attributed by the FBI to the DarkSide cybercrime syndicate. (Colonial Pipeline was manually operating part of the pipeline running from North Carolina to Maryland. Late Monday it said it expects to "substantially" restore all service by the weekend.)
No cyberattack has had quite such a visceral impact in the western world. It is also set to be the most expensive for a national economy. And while there have been many false dawns when it comes to broad awareness of the threat posed by cybersecurity risk, hope springs eternal that this incident will be a serious wakeup call for industry. At The Stack we hold that business leaders and boards could narrow the pipeline hack lessons down to just two things that a startling number of enterprises -- particularly in the industrial space -- haven't done.
Pipeline hack lessons: The two (and a bit) takeaways
- Hire a CISO.
- Start taking security hygiene basics seriously, from the top.
If we had to add a third key lesson, it would be getting an experienced NED on the board with a cybersecurity mandate: far too few manufacturing, energy, or heavy industry organisations have this role in place.
You need to hire a CISO
Colonial Pipeline had embarked on ambitious digital transformation efforts in recent years, touting its evolution "from a mechanical environment into the digital world… our operators have the latest technology at their fingertips to monitor, control, and adjust product flows... Colonial operators are also leveraging computerized technology to monitor pressures, pump operating status, and valve positions — 24/7, 365 days a year."
Such digital optimisations are not going to dry up. The business benefits are simply too great, whatever industry you are in. But they do widen attack surface massively and require a dedicated C-suite security lead.
Yet Colonial Pipeline does not appear to have had a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) to focus solely on ensuring security is robust and resilience baked in. It certainly does not list a CISO as among its key executive team and The Stack could not identify one across its LinkedIn footprint. (The company did not respond to a request for comment on its security leadership.) This is a huge oversight.
A company of that scale needs a dedicated C-suite security professional overseeing security strategy.
According to the World Economic Forum's 2021 Global Risks Report, cybersecurity failures are among the top mid-term threats facing the world. As the WEF's analysts note: "Unless cybersecurity practices are embedded into the corporate or organizational culture and digital products lifecycle, we are likely to see more frequent attacks on industrial systems like oil and gas pipelines or water treatment plants."
Hire a CISO! Better yet, hire a CISO and have them report to the CEO and board. IT is no longer something that happens in the basement; IT is not the people you call when your monitor isn't working: IT is operational resilience; IT is colossal reputational risk; IT is petrol stations running dry; IT is your customers walking away and regulators walking in. Take its security seriously. Hire a CISO. They may not look like the rest of your C-Suite. They may be covered in tattoos, have a strange hair colour, different skin colour, use pronouns you are not used to using; they may be ex-military; they may have a doctorate; they may be a high school dropout: think outside the box; invest heavily in training and promoting someone internally: the options are wide, but make it happen.
So I'm hiring a CISO. What are others' reporting lines like?
In 2021, where do CISOs typically sit and who do they report to? The Stack asked Owanate Bestman, founder of Bestman Solutions, a specialist security recruiter. He said: "I have found that the maturity levels within the C-Suite vary by industry sectors. There are industries such as large financial services firms (banking in particular) have a relatively high security maturity; however, few firms seem to have a CISO sitting on the C-Suite.
"Traditional reporting lines are typically CISO’s reporting up to the board, usually the CTO or CIO. In smaller organisations, this can even be the CRO. In such cases, the CISO title is not usually present, but instead, it is Head of IT/ Cyber Security, which often betrays an underdeveloped or misunderstood security function. Of the CISO searches I have conducted, most of the reporting lines are to the CTO, followed by the CIO. Far fewer tend to report the CEO. While other factors come into play, CISO positions that report to the CEO are more attractive to applicants as it is seen as giving the role a more significant presence. It provides the CISO with a seat at the table.
Security basics: getting basic hygiene right...
"Getting the security basics" right is a cliché that it is bandied about widely after every high profile incident.
As one infosec professional noted on Twitter this week: "It’s so interesting how something happens and we’re all like 'DO THE BASICS' but man when you’ve worked IT Ops & sys admin at large orgs (not vendor), and have to work with and alongside many tech teams, simple basics turn into complex yr long projects.Even something like 'enable MFA for everyone' can turn into a political battle among many battles esp if C-Suite hates the idea.
"Or like identifying app ownership across IT & the business can ruffle enough feathers. Even deploying an updated OS or new devices is a mission/takes so much coordination, buy-in, comms, sign-off ++ THE BASICS ARE HARD and if your InfoSec Leadership is scared of fighting them battles then..."
Yet clichés have their place: with Colonial Pipeline is now reported to have been using legacy Microsoft Exchange servers, to have VPN access "with names that imply ICS network access", to have exposed SNMP, DNS and NTP services, etc. it appears there were some "easy" fixes that could have certainly made it less of a Big, Juicy, Target -- at bare minimum, companies should be tasking someone on the IT team (or bringing in an experienced consultant) to run simple Shodan and nmap searches to see what's exposed on your network: the kind of thing even the littlest of "script kiddies" might do when sniffing about for weaknesses.
As former CISO Thom Langford, now at SentinelOne, noted: "On the surface, this is a run-of-the-mill ransomware attack on a woefully unprepared and easy target.
"As a part of the USA's critical infrastructure managing fuel pipelines, being susceptible to this kind of attack is inexcusable and should be investigated thoroughly to ensure other critical infrastructure providers don't fall foul of similar attacks. The attack has been attributed to Darkside, a criminal gang operating with alleged impunity from Russia, meaning this could have potential Political and military implications. Attacks of this nature when widespread are considered to be effective precursors to actual military attacks. While this scenario is extremely unlikely in this case, the Whitehouse response to stand up an emergency working group does underscore the seriousness of the attack at a governmental and national security level.
He adds: "Cyber-hygiene, getting the basics right, is the single best way of mitigating attacks of this nature, and it looks like Colonial were unable to address this resulting in a national-level response to securing essential fuel supplies."
Martin Smith, MBE, founder of CISO network SASIG agrees. As he put it to The Stack: "The security of critical data and systems is essential to all businesses no matter size or role. This is always most clearly illustrated by high-profile incidents, where the consequences are so immediate and visible. The real tragedy is that the vast majority of security breaches like these can be prevented by implementing just the most basic of good housekeeping processes and procedure. Boards must recognise the importance of cyber risk management, assign accountability to an appropriately senior individual, and commit sufficient resource and effort accordingly. There but for the grace of every person’s god go the rest of us.”
At the C-suite level this means (per WEF guidance)
- Establishing a comprehensive cybersecurity governance model
- Promoting a security and resilience-by design culture
- Increasing visibility of third parties risk posture and consider broader ecosystem impact
- Implementing holistic risk management and defense mechanisms with effective preventive, monitoring, response and recovery capabilities.
- Preparing and testing a resilience plan based on a list of pre-defined scenarios to mitigate the impact of an attack.
- Strengthening international public-private collaboration between all stakeholders In the industry
At the coalface, Vladimir Kuskov, Head of Threat Exploration at Kaspersky says security hygiene basics can start with the following: "We advise not exposing remote desktop services to public networks unless absolutely necessary and always using strong passwords.
"Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network and always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities. On top of that, focus your defence strategy in detecting lateral movements and data exfiltration to the Internet and paying special attention to the outgoing traffic to detect cybercriminals connections. Having regular up to date backups of systems is key to a speedy recovery from a ransomware attack."
Ultimately, business leaders, from the top, need to understand that cybersecurity is not some dark and mysterious thing involving NSA leaks; nor is it some petty annoyance that might result in a printer not working. It's increasingly about not just the lifeblood of an organisation, but the lifeblood of national economies. If the pipeline hack lessons boil down to understanding just that, well, then that's progress. Did it have to be quite so hard, however? Agree, disagree, like to add your tuppence-worth? Get in touch with The Stack's team.