Colonial Pipeline: Yet another cybersecurity ‘wake-up call’
A wake-up call? Seriously?
That would imply that anybody who has anything to do with critical infrastructure in the U.S. could have been blindsided by the recent ransomware attack on the Colonial Pipeline.
But the attack that led to the shutdown of nearly half the fuel supply — gasoline, diesel, jet fuel and heating oil — to the East Coast for almost a week, causing panic buying and major price spikes, shouldn’t have surprised anybody. Not unless they hadn’t been paying attention for the past several decades.
That’s how long it’s been since the start of a steady stream of warnings that U.S. critical infrastructure is grievously vulnerable to cyberattacks.
More than four years ago, Joel Brenner and David Clark declared in a post on Lawfare that “the critical networks that keep America’s lights on, our communications humming, and the banks open for business are insecure, and we’ve known it for a long time.”
A long time indeed. Almost a decade ago, then defense secretary Leon Panetta said more famously what other less-famous experts had been saying since the 1990s — that the U.S. was vulnerable to a “cyber Pearl Harbor” attack that could take down essential services like the power grid and yeah, the fuel supply.
Yet, the Colonial attack spawned the predictable flood of headlines from news outlets ranging from The Hill to CNN,that this event should be a “wake-up call” for the nation to harden the cybersecurity of its critical infrastructure.
By now, wake-up calls ought to be given a number, or maybe names like hurricanes. The list could go on and on — they haven’t all been direct hits on the U.S. but they have been stark warnings all the same. They include Stuxnet, which destroyed a significant portion of Iran’s nuclear facilities in 2010; Industroyer, which brought down a portion of the energy grid in Ukraine in 2016; and the Aurora demonstration in 2007 at Idaho National Laboratories that destroyed a large diesel generator.
Aurora wasn’t a malicious attack, but as Joe Weiss, managing partner at Applied Control Solutions, noted four years ago, it demonstrated that “cyber conditions could lead to physical equipment damage.”
According to Philip Reitinger, president and CEO of Global Cyber Alliance, (who says he long ago swore off using the term “wake-up call”) the incident that should have launched a national effort to improve the security of critical infrastructure like pipelines happened 24 years ago.
He told BankInfoSecurity that in March 1997 “a small attack by a juvenile on a telecommunications system knocked out telephone service to the Worcester, Massachusetts airport, cutting off their ability to call the fire department and have radio transmissions. They had to rely on backup systems, including battery-operated radio.”
“This sort of thing has been completely apparent since then, so if anybody is surprised, they’re just not paying attention,” he said.
Beyond that are catastrophic attacks on government agencies, like that on the Office of Personnel Management,discovered in 2014, that compromised the personal and financial information of more than 22 million current and former federal employees.
In short, both the private and public sectors have had more than two decades of alarm bells ringing about the threat to critical infrastructure from cyber attacks, yet the Colonial Pipeline incident is being labeled a wake-up call. Given history, it looks like when this event completes its proverbial 15 minutes of fame, everybody will roll over and go back to sleep until the next one.
Ah, but this time it’s different, some news stories declare. President Biden, barely four months into his first term, is already out with his “Executive Order on Improving the Nation’s Cybersecurity.”
And the U.S. House Committee on Homeland Security, in a stunning display of bipartisanship, advanced five bills a couple of weeks ago aimed at addressing cybersecurity weaknesses.
- The “Cybersecurity Vulnerability Remediation Act” would give the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) authority to help critical infrastructure operators mitigate the most critical, known vulnerabilities,
- The “State and Local Cybersecurity Improvement Act” proposes a $500-million grant program to help state, local, tribal, and territorial governments secure their networks.
- The “CISA Cyber Exercise Act” would establish a National Cyber Exercise program to promote more regular testing and assessments of readiness and resilience to cyberattacks against critical infrastructure.
- The “Pipeline Security Act” would improve the capability of the Transportation Security Agency (TSA) to protect pipeline systems. The TSA is the principal federal agency responsible for pipeline security.
- The “Domains Critical to Homeland Security Act” would authorize DHS to research supply chain risks for critical domains of the U.S. economy and send the results of that research to Congress.
That’s an impressive list. The Biden executive order (EO) covers all the expected bases, from building better security into software (including a detailed section on software supply chain security) to cloud services, multi-factor authentication, encryption, information sharing, endpoint detection, and incident response.
It also calls for leveraging the buying power of government with procurement requirements: federal agencies will be forbidden to buy any digital products or services that don’t meet specific security standards.
But we have seen this movie before, more than once. There have been impressive lists over the past 25 years. Every U.S. president, starting with Bill Clinton, has issued an EO or grand plan on cyber security. Obviously none of them prevented the attacks on Colonial Pipeline or on IT vendor SolarWinds, attributed to Russia, that compromised nine federal agencies and (so far) about 100 private sector companies.
President Barack Obama issued an EO more than eight years ago focused specifically on improving the security of critical infrastructure.
At the end of 2018, President Donald Trump’s National Security Telecommunications Advisory Committee accepted a subcommittee report on a proposed, “Cybersecurity Moonshot,” echoing President John F. Kennedy’s 1961 challenge to put a man on the moon before the end of that decade.
Congress created a stack of legislation as well over the past couple of decades, including most recently the IoT Improvement Act of 2020, which passed last December but it took three tries (2017 and 2019 previously) to make it into law.
Procurement language for federal agencies to demand better security from vendors has been on the table for years as well.
So what are the chances that this time will be any different?
Reitinger, who worked in DHS, the Department of Defense and the Department of Justice during the Obama administration, said for things to change, “we have to treat cyberattacks as a real national and homeland security event. We don’t now.”
“People talk about it, some high-level people are appointed, some rounding-error additional funds are (provided), but are we talking about real requirements, making people do what needs to be done, really enabling the market so it takes effective action? I haven’t seen anything like that,” he said.
Still, there is some optimism that with bipartisan support for addressing what is obviously a bipartisan problem, there will be some progress this time.
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center and coauthor of a post on Infosecurity Magazine, wrote that technology suppliers should start preparing to up their security game with frameworks that have been available for years.
“In the spirit of not reinventing the wheel, existing purpose-built secure software frameworks like the NIST Secure Software Development Framework (SSDF) and the Building Security in Maturity Model (BSIMM) serve as valuable starting points in assessing preparedness for likely new standards resulting from the EO,” he wrote.
Rehan Bashir, managing security consultant with the Synopsys Software Integrity Group, said it shouldn’t take legislation or a presidential EO for organizations to wake up to the ongoing and increasing threat of ransomware. Attackers now demand payment not just to decrypt their victims’ data but also to refrain from posting it (which is likely to include personal and proprietary information) on the internet.
“Organizations must be proactive about improving their security controls to prevent ransomware attacks and to prepare an incident response strategy for a worst-case scenario,” he said.
“An incident response plan should include backups of critical data, and also testing the recovery of backed-up data frequently as part of business continuity and disaster recovery plans.”
Still, most experts agree that pressure from government, including the refusal to buy products or services that don’t meet rigorous security standards, will be necessary for this wake-up call to have any long-term effect
“I hope the EO and activity in Congress will lead us past the black hole we’ve been in where everything dies because it’s too expensive, too hard, too regulatory, or too intrusive of privacy,” Reitinger said.
“I’m not saying any of those things are invalid. I don’t want to live in a country where the NSA monitors every communication from everybody in the U.S. But there are things that could be done across the board. It just takes political will,” he said.
Indeed. The ominous thing is that countless wake-up calls haven’t generated the necessary response from either the public or private sector.
As Brenner and Clark put it in their Lawfare post, “the vulnerability of the systems that power our nation is a national disgrace, but the pathway to higher ground has been charted. Let’s follow it … A nation that cannot or will not defend the networks on which its security depends is a nation waiting passively for failure.”
Keep in mind, that was written more than four years ago.