The attack has ended. After the rumored payment of a $5 million ransom, the DarkSide gang has disappeared. The Colonial Pipeline is flowing again, and the delivery of gasoline, jet fuel and natural gas has resumed. There’ll be no more late-night jokes about gas hoarders, and no more memes explaining why it’s not a good idea to store fuel in plastic shopping bags.
Yes, things are back to normal. Unfortunately, though, this “normal” is hardly a source of comfort, because our normal state is one in which our critical infrastructure remains under constant threat of attack. Consider these highlights from just the past few months:
- Digital extortionists took cruel advantage of the pandemic to ramp up their attacks on healthcare systems. Through a TrickBot trojan and Ryuk ransomware, hackers breached the networks of hundreds of hospitals in a crime that is literally a matter of life and death.
- Last December, we learned about the massive supply-chain attack on SolarWinds software. The breach began several months earlier when hackers planted malicious code into an update of Orion. Some 18,000 SolarWinds customers installed the tainted update, including Intel, Cisco, VMware and nine federal agencies of the U.S. government.
- This past February, hackers breached a water filtration plant in Florida and attempted to poison the treated water supply. In a rare good-news story about data security, a plant manager noticed the breach in real-time and intervened to thwart the attack.
These are just a few examples from a list of hundreds of breaches. And the list doesn’t include the many organizations that quietly paid off the hackers in order to keep the story out of the news.
Some attacks are sponsored by nation-states (which, understandably, don’t wish their involvement to be known). Other breaches are the work of criminal gangs. Because each attack might have hundreds of likely suspects, intrusions tend to be treated as disparate events, unrelated to the hack that happened yesterday or the one that’s going to hit tomorrow.
But this is a mistake in thinking, and it’s one that will eventually have disastrous consequences. In the 21st century, the very definition of war must change, because we are in one right now. We don’t always know who’s attacking us. There are no tanks or submarines, no recognizable flag, no uniformed soldiers and no formal declaration of hostilities. Yet the attacks are devastating, nonetheless. They target the very infrastructure on which a functioning society relies. The attacks are increasing in sophistication and effectiveness, and at some point, in the not-too-distant future, they will have the power to bring a nation to its knees.
The only good news about the Colonial hack is that it might finally serve as a wake-up call to technology leaders in the most vulnerable sectors: utilities, telecommunications, financial services, healthcare and government. All these sectors need to make investments in security that are proportional to the seriousness of these threats. Yet in breach after breach, we learn that data security was treated with an embarrassing degree of sloppiness. The Florida wastewater plant, for example, was still running Windows 7, which Microsoft hasn’t supported since January 2020. And in the Colonial Pipeline case, the weak links appear to have been VPNs and remote-access tools that were optimized more for easy access than for security.
As crucial as pipelines are to national infrastructure, the industry’s cybersecurity posture is “far behind that of other energy sectors,” says John Cusimano of aeCyberSolutions in a recent statement. Cusimano points to the lack of segmentation in pipeline supervisory control and data acquisition networks, which “connect the pipeline control center to every terminal, pumping station, remote isolation valve and tank farm along the pipeline. These are very large networks covering extensive distances, but they are typically ‘flat’ from a network segmentation standpoint. This means that once someone gains access to the SCADA network, they have access to every device on the network.”
The vulnerabilities peculiar to the pipeline industry or any other industry are compounded by the challenges of cybersecurity in general. Multiple tools and security solutions need to be installed, managed, maintained and upgraded in order to be fully compliant with the latest security, firmware and software updates. One missed library update can open a massive hole for extortion or corporate espionage. And ransomware attackers no longer must be particularly innovative or knowledgeable on their own; they can now simply rent ransomware-as-a-service from a group such as DarkSide.
So, how can IT decision-makers respond? How can leaders sleep at night with the confidence that their infrastructure is secure, yet still conduct business so that the lights stay on, the fuel continues to flow, the water stays clean, and the bills get paid?
I believe the time has come for the public and private sectors to agree on universal standards that improve our security posture while still allowing for continued innovation. The Biden administration pledged to act in the wake of the SolarWinds breach, but there is much more to be done.
Right now, the only organization proposing a global standard for third-party data access is Canada’s CIO Strategy Council, of which I am a member. The Council unites Canada’s technology leaders in pursuing innovation and solutions to our most pressing digital security challenges. The Council has authored critical standards to address the growing threats to worldwide data security. “We are living in a data-driven economy that is unlike any before, and issues like data governance and cybersecurity can no longer take a backseat,” says Executive Director Keith Jansa. “The standards published by the CIO Strategy Council are designed to help organizations in Canada and around the world to effectively govern and secure their data and digital technology use.”
The new standards proposed by the CIO Strategy Council include the following:
- CAN/CIOSC 100-2:2020 — Third Party Access to Data: This standard addresses data governance on third-party access to data and ensures that when third parties are authorized to access critical data systems that access is authorized, supervised and secure.
- CIOSC/PAS 100-4:2020 — Specification for Scalable Remote Access Infrastructure: This standard lays out requirements to mitigate security risks associated with, and scalability demands upon, enterprise technologies used for remote access.
- CAN/CIOSC 103-1:2020 — Digital Trust and Identity: This standard specifies minimum requirements and controls for creating and maintaining trust in digital systems and services that assert and/or consume Identity and Credentials.
The blunt reality is that these standards are several years overdue. The Colonial Pipeline might have started flowing again in just a few days, but that’s not much of a consolation. In terms of defending our critical infrastructure, leaders in government and enterprise have been luckier than they’ve been smart. Unless stringent security standards are applied across the public and private sectors alike, we might soon learn the hard way that our luck has run out.