The news media is full of reports on the Colonial Pipeline ransomware attack.
This isn't the first case of cybersecurity failure by a business.
Sadly it's not likely to be the last until something is done.
Why do events like this happen?
The simple answer is that companies fail to take the necessary steps to protect critical infrastructure despite warnings.
Here’s a February 2020 alert from the US’s Cybersecurity and Infrastructure Security Agency to pipeline operators.
That warning describes:
the nature of the attack, tools used -- apparently an “off the rack” hacking program
the results of the attack
19 mitigation steps -- many of which are "common sense"
The unnamed company in this case, did not think that its BCP need include cybersecurity.
If you look at the attack results, you’ll see that the vulnerability was Microsoft software.
As my elder and wiser brother has remarked more times than I care to hear:
There is no need to worry about “microchips” in medicines. Microsoft has never developed a product that works flawlessly.
If you look at the CISA alert for Colonial Pipeline, guess what you will find?
Significant repetition from the alert above given some 15 months earlier.
And as above a lot of these recommended steps seem fairly easy to implement.
So what causes the failure to prepare?
Management and organization incompetence is no doubt responsible in some cases.
But on its website, Colonial Pipeline states that it is “Committed to Excellence”.
It is a private company reportedly owned by Shell, Koch Industries, KKR with a Korean pension fund, and several other pension funds and financial firms.
You would expect that it has first class management.
And the financial, technical, and human resources to take appropriate measures.
It was quite a profitable enterprise based on its 1Q2019 financials.
It has demonstrated security “awareness” in other areas.
CP’s website has a “captcha gate" to keep out undesirables. I was, however, allowed entrance after performing a few Turing tests.
I don’t know whether this is a new feature installed after the ransomware attack (closing the proverbial barn door) or has been there for a long time.
Even stricter is the security for access to investor information.
You have to submit a request to CP’s Investor Relations Department with personal details and a justification of your need to know.
And they note they just might refuse your request!
Talk about cybersecurity!
At least with respect to financial and corporate information.
Because the ransomware attack was successful, one might infer that similar security measures were not in place to protect pipeline operations.
Improving cybersecurity requires expenditure.
Sometimes management are unwilling to spend the money.
So what is to be done?
Repeated failures in cybersecurity suggest that faith in companies properly managing their affairs is more often than not misplaced.
As well, the invisible hand of the market appears to not only be invisible but also consistently absent in these cases.
If Hometown Deli in New Jersey is shut down by a cyber attack, it’s one thing.
If a major pipeline is shut down, it’s another.
In one case it causes inconvenience.
In the other it harms national security.
In the latter case -- a failure of the market -- the prudent approach is strict regulation along with substantial fines and other penalties.
If a critical infrastructure company cannot figure out on its own that cybersecurity is critical, a statute will make it a requirement and penalize a company financially and otherwise, e.g, revoke its license to operate critical infrastructure, if it fails to develop and implement one.
Related post here.
Posts
