Cybersecurity experts have warned about vulnerabilities within the critical infrastructure for years. It came to fruition in May 2021, when Colonial Pipeline was hit with a ransomware attack. The response, of course, was the company temporarily shut down oil and gasoline delivery, which resulted in major panic and shortages all over the East Coast.
"The Colonial Pipeline attack was a major wake-up call to improve cyber defenses for critical infrastructure," says Tom Badders, senior product manager at Telos. "The attack vector for ransomware has typically been targeted to information technology networks. This was the first major attack on an operational technology network."
The attack brought much-needed attention to risks to the critical infrastructure and how something as simple as a stolen password can create a national nightmare. The immediate response was to come up with ways to prevent a similar attack (and there has not been one as of yet), but over the past year, have we really learned any lessons from Colonial Pipeline? Has anything changed in the way we think about protecting our systems, particularly critical infrastructure?
The Colonial Pipeline attack offered everyone, from government officials to ordinary citizens, a glimpse into what could happen and why it is vital to have a good security team with a solid mitigation plan in place, says Willy Leichter, CMO at LogicHub.
"In terms of wake-up calls, the Colonial Pipeline cyberattack was a good jolt of caffeine to the country," he says. "The Colonial security teams acted quickly, cautiously, and probably correctly to shut down the pipeline, although it took six days to get it back online."
But then the country hit the snooze button.
"Unfortunately, I think very little has changed," says Den Jones, CSO at Banyan Security.
Many companies still operate under the "it won't happen to me" assumption, Jones points out, and smaller organizations don't have the resources in place — or don't think they need them — to address a major cyber incident. When organizations do have security teams in place, they are spread thin.
"And perhaps worst of all," Jones adds, "organizations of all shapes and sizes haven't dramatically improved their basic security hygiene. This includes having sound, repeatable, audible processes for keeping systems patched and up to date, directory systems current, and making use of important tools like MFA. Remember, having a process doesn't mean it has to be complicated."
Some Progress Made
Little change isn't the same as no change, however. There have been signs of progress in the wake of the Colonial Pipeline attack.
"Government agencies have been more active in issuing security recommendations and creating much stricter rules about breach notification," says Leichter. Days after the ransomware attack was revealed, for example, the White House released an executive order requiring improvements to federal cybersecurity efforts. At the state level, more than 250 bills were introduced that deal directly with improving cybersecurity both overall and to directly protect government entities.