If the seemingly consistent announcements of cyberattacks are starting to feel like a broken record, you are not alone. However, the more accurate description may just be a broken approach. The regularity and intensity of cyberattacks, and ransomware in particular, are out of control. And, unfortunately, organizations with operation technology – whether its manufacturers or those within infrastructure and energy sectors – appear to be the most dominate target.
As details from the recent Colonial Pipeline continue to unfold, IndustryWeek has connected with a host of cybersecurity experts to take a deeper dive at the bigger picture.
Those joining the discussion include:
- Andrew Rubin, CEO and co-founder of Illumio;
- Stel Valavanis, CEO of onShore Security;
- Tim Erlin, vice president of product management and strategy at Tripwire; and
- Prevailion CTO Nate Warfield.
Rubin: This could be the most impactful ransomware attack in history, a cyber disaster turning into a real-world catastrophe. It’s an absolute nightmare, and it’s a recurring nightmare. If organizations continue to rely and invest entirely on detection - and ignore the fact that this approach continues to miss attacks - these events will continue to trend upwards.
This attack was not a matter of compromised names, addresses and SSNs. We’re talking about the energy supply of the Eastern United States. This is huge, and this is a national security issue.
Valavanis: Yes, of course. This goes hand in hand with the increased sophistication and capacity of the criminals who have been fueled by the years of collecting ransom payments covered by insurance. Infrastructure attacks are more likely targeted attacks and not "spray and pray."
Erlin: As industrial systems become more connected and interconnected, the applicable threats grow. It’s not ransomware that I worry about, however. Ransomware is noisy. It has to announce itself to be successful. Attacks that are intended to do real damage can use the same methods as those that ultimately deliver ransomware. My concern is that the trend in ransomware incidents is hiding or preceding other types of attacks that we haven’t yet detected.
Warfield: Absolutely. The risk to infrastructure isn't new, we've known that critical system security lags behind the rest of the industry for a couple decades. What is relatively new are the ransomware groups who - unlike nation states - operate with impunity and disregard for soft targets. A nation-state attack on oil pipelines or hospitals would be considered by most an act of war, but since these gangs operate outside of the control of their host country's government and are generally safe from extradition, enforcing consequences is nearly impossible today.
IW: Do you see these attacks ultimately impacting the proposed infrastructure bill? If so, how?
Warfield: I think it definitely *should*; computers are an instrumental part of modern life and any new infrastructure will have hundreds or thousands of computers to manage, monitor and access the critical components. Where there are computers, there is risk of compromise. A mature security posture is crucial for the success of any large infrastructure undertaking and needs to be included from day one. You can't simply bolt security on as an afterthought and expect it to succeed. If the bill didn't contain line items for information security before this attack, I would hope it does now.
Rubin: While President Biden did issue a state of emergency following the Colonial Pipeline ransomware attack, I am even more pleased to see the administration working on an executive order to build a Zero Trust posture, stating specifically that detection is no longer enough on its own, as reported by the New York Times. If this isn’t a threat to national security, I don’t know what is. The government’s reaction in the coming weeks is going to be critical. The administration needs to explain to the public why this is not just another breach.
Valavanis: It should. One way the federal government has been able to enforce standards is by attaching strings to project funds. The writing is on the wall here. There will be new cybersecurity standards in the infrastructure bill, period. They will require detection and analysis. They will require attestations and 3rd party audits. They will require information sharing and disclosure. They will require many new specific architectural improvements.
Erlin: Regulation can have a big impact on cybersecurity adoption. It might not drive innovation, but having set industry standards provides a consistent framework to help prevent the majority of attacks, or at least make them substantially more costly for the attacker.
IW: What are the next steps forward?
Rubin: The cyber industry needs to stand up and admit we’re failing. Detection alone is no longer enough, as we’ve seen that spending north of $100 billion per year on this strategy isn’t working. Our track record, in the past six months alone, has gone from bad, to abysmal to, now, catastrophic.
Attacks are increasingly getting worse and more severe, yet we have done nothing to change our strategy. The first step is admitting that detection is not the sole solution, and recognizing that we need a Plan B. Sunburst and SolarWinds should have forced us to reevaluate our cyber strategies and the tools that we are implementing. Now, we have yet another cyber disaster on our hands.
After we’ve achieved a collective ‘assume breach’ mentality, we then need to implement technology to mitigate the amount of damage done once breached. This can be done by adopting layered components into security stacks -- endpoint monitoring systems, Zero Trust segmentation capabilities, next generation firewalls and an automated testing platform.
Warfield: The world has observed attacks on both critical infrastructure (Ukraine, Sandworm power station attacks + NotPetya) and ransomware gangs running rampant with little more than stern words or the occasional embargo and this needs to change. Ransomware represents an existential threat to the safety of a global communications network which - like it or not - lives now depend on. The private sector can only do so much in terms of defending the world from these groups, without global support to track down and eliminate these actors these campaigns will continue unabated. This recent attack on critical pipeline infrastructure will only be the beginning. These groups proved in 2020 with attacks on healthcare their disregard for human life; once you've crossed that line nothing is off limits.Valavanis: The cybersecurity community is fairly united and clear about how we improve. No one has to wait for new requirements that, frankly, will mirror existing published standards. Industry just won't spend money they don't have to and they likely won't. But that doesn't mean they can't prepare for the coming requirements now at least in planning because these changes will take time and the internal disruption could be significant. It's best to get a jump on it.
We aren't paying enough nor putting enough pressure on law enforcement. There already is a restriction on ransom payments to listed terrorist entities but that's not clear enough. There are problems with data collection and disclosure policies, cryptocurrency controls, international agreements, and jurisdictional limitations. The idea of law enforcement being inadequate and overwhelmed isn't born out in the reporting. Their limits are more from lacking policy and public pressure. Instead, we keep blaming the victim.
Erlin: National attention on cybersecurity for critical infrastructure is a good start. It’s often hard to separate the hype from the reality. There is real work to be done here, and that requires real investment. Government has a strong role to play in how we invest in protecting our critical infrastructure.