The recent ransomware attack against Colonial Pipeline, which delivers almost half of the fuel used on the east coast of the U.S., is seen as demonstrating the consequences of leaving gaping holes in cybersecurity postures, especially amid increasing attacks on critical infrastructures worldwide.
A failure as big as that of Colonial Pipeline simply shows an obvious willful ignorance to take cybersecurity seriously, said Michela Menting, digital security research director for U.S.-based tech market advisory firm ABI Research.
"Hopefully, however, it will give large corporations a push to revise and strengthen their cybersecurity strategies, especially those in critical infrastructure, and show them – yet again – that they are not exempt from common cyberattacks."
According to the executive, the pipeline's primary infrastructure weakness is unknown because the company has not revealed information pertaining to how the threat actors got in. Typically, she said, such groups use a mix of social engineering, such as phishing emails, and vulnerabilities of remote access mechanisms, to get in and then privilege escalation and lateral movements inside the infrastructure to identify weaknesses and assets.
"Many in the industry expected attacks against critical infrastructure of this nature and breadth to have been launched by nation states. However, despite global geopolitical tensions, most of the big powers have abstained from such large, public-facing, debilitating attacks against one another, as they could be considered acts of war. As such, and despite the dangers, cybersecurity efforts have been sporadic, fragmented, and half-hearted in critical infrastructure, leaving many gaping holes in security postures," Menting said.
"Unsurprisingly, the organized cybercriminal market has stepped in to pick the low-hanging fruit, but ransomware is such a profitable market that it has become highly competitive, with sophisticated ransomware gangs going after bigger and bigger targets. However, there is still a fine line for the types of companies organized crime is willing to go after. The closer these groups get to undermining critical infrastructure, the more dangerous they become to national security and the greater the risk of serious repercussions from concerned governments."
To prevent such hacks from happening, companies that take these threats seriously have a great many resources available, including guidelines, standards, regulations, best practices, technologies, architectures, strategies, and information sharing processes. These tools are available at the public, private, and international level, said the executive.
"The key is to understand that even the best cybersecurity solutions will not, and cannot, always guarantee absolute protection for all assets. Consequently, organizations large and small should always be prepared for an eventual attack, which means architecting their infrastructure so that it can continue to operate despite an ongoing attack while simultaneously recognizing and dealing with the threat. This is not an easy feat, but there are concepts such as zero-trust security and cyber-resiliency which can aid in creating such a posture," Menting said.