[BreachExchange] The Colonial Pipeline Incident Shows the Need for Broader Thinking about Cyber Resilience

[Audrey McNeil]

https://www.cfr.org/blog/colonial-pipeline-incident-shows-need-broader-thinking-about-cyber-resilience


Colonial Pipeline, which operates one of the largest pipelines in the
United States, chose to shut down thousands of miles of pipeline as a
result of a ransomware cyberattack that the Federal Bureau of Investigation
attributed to the Russian criminal group, DarkSide. This incident came on
the heels of the Institute for Security and Technology’s release of a task
force report on combating ransomware. Cybersecurity experts have been
sounding the alarm about the threat posed by ransomware and, specifically,
its use by criminal organizations for years. In 2019, there were over 100
known ransomware attacks perpetrated against state and local governments,
including large American cities like Baltimore and Atlanta. And more
recently, the Microsoft Exchange hack, linked to China, raised the
possibility of criminal actors exploiting network vulnerabilities to
conduct ransomware attacks.

While there has been a great deal of recent debate about the respective
roles of offense and defense in cybersecurity, the Colonial Pipeline
episode highlights that a core policy challenge remains cultivating the
resilience of U.S. critical infrastructure. At an organizational level,
cyber resilience involves anticipating and preparing for adverse cyber
events (whether they stem from nation-state or criminal entities);
withstanding and rapidly restoring critical systems and processes when
cyber incidents inevitably occur; and learning as an organization in their
wake.

Policymakers have been paying more attention to cyber resilience. The U.S.
Cyberspace Solarium Commission’s March 2020 report, for example, contains a
range of policy measures aimed at this. The Biden administration tapped
Caitlin Durkovich, who has a cybersecurity background, to serve as senior
director of resilience and response on the National Security Council. On
the private sector side, resilience has long been a prominent concern as
industry grapples with how to invest in it and develop and promulgate
standards and best practices.

However, what is publicly known about the Colonial Pipeline incident
illustrates an important gap in current thinking about resilience. Much of
the conversation around cyber resilience focuses on how organizations can
rapidly restore services and resume operations following disruptive or
destructive cyber events. For the most mature organizations, these types of
resilience measures include backup strategies, data vaulting, implementing
zero-trust architecture, and cloud migration.

The ability to rapidly restore services and reduce the impact of
disruptions is foundational to any cyber resilience program. While it is
not yet clear whether it was Colonial Pipeline’s proactive measures that
mitigated the consequences of the cyberattack, or its decision to pay the
nearly $5 million ransom, the company was able to restore service within a
matter of days. But these types of resilience measures are only part of the
answer. One of DarkSide’s and other criminal groups’ tactics, techniques,
and procedures (TTPs) is that if an affected entity refuses to pay the
demanded ransom—perhaps because that organization has measures in place to
recover lost data—then the group will threaten to publicly expose
exfiltrated sensitive information (also known as “doxing”). On the Dark
Web, DarkSide has posted stolen data from affected entities that refused to
pay ransom, potentially causing reputational harm, liability exposure, or
loss in share value if an organization is publicly traded. In other words,
quickly restoring services—itself a significant feat—could be insufficient.

Organizations could apply a range of measures to mitigate the consequences
of doxing. For example, organizations could implement data loss prevention
measures to more rapidly alert network defenders to anomalous behavior and
prevent the exfiltration of sensitive information. For example, in the case
of Colonial Pipeline, DarkSide was able to abscond with over 100 gigabytes
of data in two hours. This activity should trigger defensive controls and
further investigation. While this will not prevent all exfiltration, these
measures could limit its scale and create additional opportunities for
detection if the threat actor is not fully aware of the triggers that could
set off an alert to defenders. In other words, even though threat actors
will inevitably adjust their TTPs, more robust data loss preventing
controls will force a slower and more methodical exfiltration from the
threat actor, increasing the potential period of detection.

>From a policy-making perspective, a big challenge with ransomware is that
companies have an incentive to keep information about incidents surrounding
ransomware activity private—particularly if they decide to pay the demanded
ransom. This limits the ability of the government or other potentially
affected entities (or the private cybersecurity providers they hire), which
could be targeted by the same threat actor or by other threat actors
employing similar tactics, from having a more complete understanding of the
threat environment. This perspective is important to be able to adapt
investments in controls and defensive postures to keep pace with the
changing threat environment. Keeping incidents private has other negative
implications for the broader ecosystem—it diminishes information available
to insurers and others to model risk and accurately price products; it
undermines the education of political leaders and the public at large; and
so on.

Improving reporting requirements could help to address this gap. Some
reporting requirements already exist, particularly for regulated industries
and publicly traded companies; and other elements of energy sector are more
closely regulated. However, many requirements do not sufficiently
incorporate up-to-date cybersecurity best practices and are not necessarily
consistent across different stakeholders. Therefore, policy actions like
updating requirements in the Sarbanes-Oxley Act to more systematically take
into account cybersecurity; institutionalizing Security and Exchange
Commission guidance on cybersecurity risks; and passing a National Data
Breach Notification Law (all of which were recommended by the Cyberspace
Solarium Commission) would lead to notable improvements. The Biden
administration’s recent executive order is a step in the right direction,
particularly with respect to breach notification requirements, but it only
directly affects federal government information systems and acquisitions
(although it could have broader positive spillover effects). To influence
the broader private sector ecosystem, given that regulators are an
important drivers of industry behavior, regulatory requirements should be
more adaptable to changing environments.

Although DarkSide apologized for the geopolitical consequences of its
ransomware attack and announced that it was disbanding, other criminal
groups could not be as circumspect about targeting critical infrastructure
in the future. Resilience standards should not become simply a compliance
checklist and the goals of resilience are not simply recovery and the
continuity of operations. Rather, there needs to be a more agile
understanding of what it means to be resilient as an organization in an
evolving threat environment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/3df75965/attachment.html>