Gasoline is flowing again down the Colonial Pipeline. Tanks are getting refilled, lines gone. Motorists are no longer panic hoarding and kicking themselves for not buying that plug-in Tesla TSLA .
It may take a little longer to lose that sneaking suspicion that civilization is on shakier foundations than thought. It’s cold comfort that the DarkSide hackers are “apolitical” and didn’t intend to cause social havoc, says Jonathan Reiber of AttackIQ. Because attacks like this broaden the imagination. Now that other groups see what’s possible they will try the same thing — but with more malevolent intent. And they’ll ask for a lot more than the $5 million that DarkSide allegedly extracted from Colonial.
“Five million is nothing to them,” agrees Mark Ostrowski, head of engineering at CheckPoint, who was impressed by reports that Colonial had backups from which it was able to recover the 100 gigabytes of exfiltrated data more quickly than by decrypting with the hackers’ recovery key. Indeed “five million is not a lot given the damage to reputation and productivity that was caused,” says James Reynolds, says James Reynolds, chief product officer at SecureAge. “They could have easily required 10 times that.”
And Colonial could have paid it. According to financial results filed with the Federal Energy Regulatory Commission, Colonial Pipeline Company has $3.1 billion of assets (against $2.6 billion of long-term debt) and generated net income of $420 million last year on $1.3 billion of revenues. Over just the past two years the company has distributed $820 million in dividends to its owners, including Koch Capital Investments, Shell Midstream, and three institutional investors. The Koch family, led by Charles, 85, controls a 28% stake in the pipeline company. Forbes estimates their net worth at $100 billion.
There is no amount of investment in cyber security that Colonial Pipeline cannot afford, and no excuses really for this kind of cyber breach, say experts. Indeed we’ve reached a point where the cost of an infrastructure giant not adequately preparing for “black swan” risks is often far higher to society than it is to the company that got hacked. Jennifer Bisceglie, CEO and founder of Interos marvels at the string of disasters of recent months — Solarwinds SWI , the Texas power grid collapse, the clogging of the Suez canal. “And now I have to stay home because I can’t get gas because someone hacked a pipeline,” she says. To top it off, Chick-fil-A is suffering a sauce shortage.
MORE FOR YOU
How can these things be allowed to happen in our postmodern economy? Too much just-in-time interconnection, not enough attention paid to resilience, says Bisceglie. Some of the most successful attacks begin by infiltrating the person who supplies the person who supplies you — making it every company’s responsibility to continuously map all their connections and proactively develop back-ups. “Not knowing is not ok anymore. Black swans are now examples of poor planning on your part,” she says. Interos offers clients tools for enterprise resilience, including A.I.-informed scenario planning and deep analysis of supply-chain connections.
Threats have been evolving for a decade, and the industry has matured, says Jonathan Reiber of AttackIQ. Far from being just the domain of pariah states for whom the internet represents an assymetric force multiplier, hacker tools are everywhere. On the dark web you can rent denial-of-service-as-a-service.
With the exponential increase in the number of attack surfaces, the problem is only going to get worse. In the past year millions went to work from home, and now find themselves living in an online world with near-seamless connections between software apps for work, entertainment, banking, investments. “Cyber created a world without a perimeter that is now extended into our living room,” and interacting with us via A.I. helpers like Alexa, says Bisceglie.
Mark Ostrowski, head of engineering at CheckPoint Software says chief information security officers must introduce so-called “zero-trust” architecture — in which not even devices and actors operating within a cybersecurity perimeter are considered safe, requiring multiple login protocols for any device attempting to connect to a system. And you need a security overlay sitting in front of your digital environment that is checking every link, every email, watching how devices are talking to each other, and being constantly updated.
Some believe we’ve reached the point where cyber-precautions can’t just be left up to the private sector. Richard Glick, a commissioner at the Federal Energy Regulatory Commission called this week for mandatory cyber standards and wants oversight of pipeline cybersecurity to move from Homeland Security over to the Dept. of Energy or FERC.
The Biden Administration acted as well this week. Sec. of Energy Jennifer Granholm assured Americans that pipelines are “the best way” to transport vital fuels, and on Wednesday President Biden signed an executive order.
Robert Cattanach, partner at law firm Dorsey & Whitney, parsed the order for us: “By mandating prompt disclosure of cyber events by federal contractors, establishing a lessons learned process, and more rigorously vetting the reliability of newly defined ‘critical software’ through the lens of a ‘Zero Trust Architecture,’ the process-heavy Order will focus both attention and resources on a hugely vulnerable component of the day-to-day functioning of both the public and private sectors.”
Some would go a few steps farther. James Reynolds, chief product officer at SecureAge thinks regulatory agencies should require companies that provide critical infrastructure to allocate a large portion of operating budgets to cyber protection. He would like to see a requirement that infrastructure providers hire third-party hackers on a regular basis to attempt break-ins. And he wants infrastructure companies to actively partake DoD/DHS annual cyber wargames.
The experts agree: it’s better to proactively stay on top of your cyber self defenses than wait for government edicts to act. Know that hackers are opportunists — they will try every door of every car in the proverbial darkened parking lot, and will steal the ones that have been left unlocked. Always make backups, and devil take the hindmost.