The Colonial Pipeline ransomware attack disrupted oil supplies throughout the East Coast of the US as the company worked to contain the threat, investigate the internal impact of the breach, and restore its systems from back-ups. The shutdown caused inestimable ripple-down losses and inconvenience for organizations and individuals whose activities depend on access to the 100,000 gallons of fuel Colonial transports each day. Despite paying almost $5 million in ransom—some of which was subsequently recovered by the FBI-- the decryption keys reportedly did not work well and most of the recovery was accomplished from the company’s own backup systems.
In the wake of the attack, the US Transportation Security Administration (TSA), part of the Department of Homeland Security (DHS), announced mandatory cybersecurity requirements for the pipeline sector, and more recently, issued a second Security Directive for critical pipeline owners and operators.
Just weeks after the Colonial Pipeline attack, a ransomware attack on JBS SA, a multinational meat processor, caused perhaps even greater disruptions, impacting farmers, retailers, consumers, stockyards, financial markets and numerous other parties internationally, throughout the value chain.
These attacks on manufacturing and processing companies and their far-reaching impacts highlight the vulnerability of critical systems and illustrate how attacks can ripple through multiple sectors of the economy. Of course, this point is exactly why the industrial sector is so attractive to cybercriminals: By their calculations, a wider swath of destruction and losses generates more pressure to pay off ransoms and get systems running again. In fact, the number of data breaches in the manufacturing sector during the first six months of 2021 increased over 400% versus the same period the previous year.
Moving Toward Greater Cyber Regulation
Many people are familiar with the TSA from its most public-facing activity: airport security. Pipelines were originally regulated by the Department of Transportation since they move—transport, that is--fuel, gas and chemicals. Pipeline security responsibilities were transferred to the TSA following its creation in 2002.
With the new TSA security directives, the pipeline sector joins a handful of other industries, including nuclear power plants and bulk electric power providers that must comply with mandatory cybersecurity guidelines. An attempt by Congress to extend mandatory cybersecurity guidance to a wider range of critical infrastructure industries failed after the Chamber of Commerce mounted strong opposition to the plan. Given the increasing number of attacks in general, and on critical infrastructure in particular, it would not be surprising to see additional mandatory cybersecurity regulations imposed on a sector-by-sector basis by relevant authorities.
Note the “sector-by-sector” mention in the previous paragraph: A major challenge in securing America’s critical infrastructure from cyberattacks is the lack of a central organization responsible for cybersecurity. Instead, there is a patchwork of regulations that are drafted for and apply to different industries. For instance, the Energy Department issues cyber regulations for bulk electric providers, while DHS issues rules for chemical plants, and the Nuclear Regulatory Commission (NRC) issues rules for nuclear power. Conceivably a pipeline carrying chemicals could be obligated to follow two completely different sets of cybersecurity rules, one coming from DHS for chemical facilities, and one from TSA for pipeline companies.
The Government Approach: Too Little, Too Late, Too Fragmented
The new DHS guidelines are emphatically an important step in the right direction. However, they are, by definition, way too limited, in that they apply only to pipeline companies and were issued only after a significant attack.
In a recent statement, US Federal Bureau of Investigation Director Christopher Wray compared the ransomware challenge facing US companies today to the 9/11 terrorist attacks. While in his statement, he cited, “a lot of focus by us on disruption and prevention,” the thrust of his comments focused on post hoc investigation and remediation, rather than on what organizations should be doing to protect themselves from attack in the short run.
As a government body tasked with combatting crime, the FBI should concentrate on investigating past cyberattacks to identify responsible parties and bring them down. But even if those investigations succeed, it is often too late for the individual organizations that have—literally--paid a crushing price to provide the after-the-fact evidence against cybercrime gangs.
Savvy Organizations Set the Pace
Meanwhile, there are steps manufacturers can take to protect themselves from cyberattack. Having an executive-level coordinator who is responsible for cybersecurity and putting procedures in place for assessing readiness and reporting events, as the TSA requires pipeline companies to do, is vitally important.
It is important to enlist “zero trust” security measures that verify all access both inside and outside the organization. Effective zero trust measures are flexible enough to meet the increasingly distributed nature of most business operations, and don’t force employees to choose between security and productivity.
Specific recommendations include, at a minimum:
1. Strict separation between industrial systems and business operations through the use of network microsegmentation techniques. Microsegmentation is a network security technique that allows security architects to divide networks into various smaller segments, down to the individual workload level. Each segment can be managed via customized security policies.
2. Periodic external scans and threat intelligence assessments to identify vulnerabilities or weaknesses, including unused and phantom accounts.
3. Identity and access management (IAM) that leverages strong authentication for all remote access services and SaaS applications.
4. Least-privilege access controls for both on-premise and cloud-based resources, leveraging granular per-person (not group!) policies. Least privilege access allows individual users access to only specific apps and data that each user requires in order to accomplish the tasks required to do their job.
5. Secure web gateways (SWG) and browser isolation. Browser isolation enables internet access to be routed through a virtual browser located in a disposable container in the cloud. SWG and browser isolation protect endpoints and networks from web-based malware, including from sites opened by clicks on links in phishing emails.
6. Cloud-delivered solutions that secure remote user activity.
7. Effective patch management. Organizations should have an automated process in place to greatly reduce the burden on the IT team. Patches should be reviewed and monitored before being deployed across the entire organization to mitigate security breaches. To reduce downtime, address security vulnerabilities of applications within a designated period of time outside of business hours.
These measures, along with others, are increasingly integrated in platforms known as Secure Access Service Edge – SASE for short. SASE platforms operate at the cloud edge to secure user access, from wherever they are, to organization resources that may be on-premises, in the cloud, or on the web.
Strengthen Ransomware Defenses at Cyber-Speed – Not at Regulatory Creep
Government should be a major force in the battle against cybercrime. But manufacturers should also seek out and implement protective measures to bolster defenses in today’s increasingly sophisticated threat landscape.
Gerry Grealish is a security industry veteran, bringing over 20 years of marketing and product experience in cybersecurity and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he was responsible for the go-to-market activities for the company’s Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed CASB innovator, Perspecsys, where he was CMO.
