The Colonial Pipeline Cyber Attack
Colonial Pipeline is a privately-held company headquartered in Alpharetta, Georgia. Colonial is one of the United States’ largest pipeline operators and transports over 100 million gallons (or 45%) of fuel used across the east coast (including gasoline, jet fuel, diesel, and home heating oil). The distance covered by the pipeline is approximately 5,500 miles and covers an area from New York to Texas.
On Friday, May 7th, 2021, Colonial Pipeline halted activity after being (cyber) attacked by a group called Darkside. The criminal hackers successfully penetrated Colonial Pipeline’s network, targeting business divisions within the company. Once in, Darkside threatened to hold Colonial Pipeline’s data hostage until a ransom was delivered.
That evening, Colonial Pipeline CEO Joseph Blount agreed to pay Darkside $4.4 million (in bitcoin). According to an article published by the Wall Street Journal, Blount authorized the payment,
“because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.”
The impact of the shutdown detrimentally affected the east coast for several days. Panic over fuel shortages resulted in a wave of consumer hoarding and spiked fuel costs.
Government Involvement and Response
Upon learning of the cyberattack against Colonial Pipeline, the FBI launched an investigation, partnering with the Cybersecurity and Infrastructure Security Agency (CISA) to determine how the breach occurred and what actions should be taken to prevent incidents like the one at Colonial from happening again.
Formed in 2018, CISA falls within the Department of Homeland Security (DHS) and was created to
Critical infrastructure components like the Colonial Pipeline and utilities like electricity, gas, telecommunication, and even election infrastructure are managed and operated in the private sector and fall outside the purview and authority of CISA.
To date, CISA has been largely dependent on the voluntary cooperation of these privately held entities, many of which have contracts that preclude them from sharing security-related information with outside entities. Additionally, many private entities have been reluctant to share with the government that they have been victims of a cyber attack for fear of litigation from customers.
This week, President Biden signed an executive order that will require federal agencies to adopt strengthened cybersecurity measures. Additionally, the White House is asking Congress to commit $10 billion to civilian government (Defense contractors) in 2022.
Can Money Solve the Cybersecurity Problem?
Money by itself can’t solve this problem. For new or additional funding to make a positive impact, it needs to be spent effectively.
Funding + Policy + Enforcement = Improvements and Results
Standards like DoDD 8140, 8570, and the NIST/NICE standard should dictate the policy. Once the policy is in place, systems and practices should effectively illustrate how well the policy is being enforced. Only then can funding be effectively allocated to address needs within the policy like:
- Recruiting
- Targeted Training
- Up-skilling
All ships must rise simultaneously to make a positive impact on the industry as a whole.
Government Oversight in the Private Sector
One of the most glaring cybersecurity issues facing the U.S. today is the attacks on privately held businesses like Colonial Pipeline. These companies are critical to our infrastructure yet don’t receive the same oversight and aren’t mandated to adhere to the same standards as government agencies.
Our opinion is that if a business is “too big to fail,” it’s critical to our infrastructure or national security and should fall under DHS oversight. As it stands today, privately held companies aren’t required to adopt and follow a standard or even report a data breach to the government. In many cases, these businesses contend that doing so would open themselves up to litigation from customers and shareholders.
This issue is getting more attention in Washington D.C. now with the Colonial Pipeline attack. Still, attacks like these will continue regardless of how much funding the government supplies because these critical infrastructure businesses aren’t held to the same accountability standards as government agencies.
Cyber Readiness Is Key in Combating Future Attacks
Understaffing
According to predictions from Cybersecurity Ventures, there will be an estimated 3.5 million cybersecurity jobs available in 2021. As cyber-attacks continue to rise, government agencies and private companies will find themselves in constant dangerous situations.
Larger and Repeated Breaches
As we had recently presented, the SolarWinds breach, arguably the most significant breach in history, went undetected for months. Four government agencies failed to discover the breach, nor were willing to accept responsibility, leaving America vulnerable to future attacks like Colonial Pipeline.
Lack of Cybersecurity Governance
Cyber threats are ongoing and forever evolving. Instead of one-off, fix-it-and-forget-it solutions, organizations need to embrace a holistic, enterprise approach to cyber readiness. These strategies will allow for better identification, mitigation, and protection against attack.
Why CyberSTARTM?
CyberSTAR is the trusted source for ongoing cyber training. Used by the DoD and other government agencies, and corporate customers it is the most effective automated credentials management and cyber workforce compliance system available, with over two million registered users.
CyberSTAR helps streamline processes and maintain current credentials for your cyber workforce by:
- Ensuring proper training and certification (including DoDD 8570, DoDD 8140, NIST NICE, and other commercial standards)
- Matching personnel and roles to contractual or regulatory requirements
- Forecasting, planning, and recruiting workforce
- Continuous compliance and on-demand reporting
- Reducing the cost and complexity of identifying skill gaps
CyberSTAR is the one source of truth for all your cyber training and certification—evaluating, expanding, and enhancing your organization’s cyber readiness.
