Editor’s note: The following is a guest article from Matthew Parsons, senior director of product management, managed services at 11:11 Systems; Brian Knudtson, director of product market intelligence at 11:11 Systems; and Alex Reid, product architect at 11:11 Systems.
It’s been two years since a ransomware attack shut down the Colonial Pipeline, one of the largest and most vital oil pipelines in United States.
Attackers took a compromised password, stole 100 gigabytes of data and infected the company's IT network. The shutdown of the 5,500-mile pipeline halted the movement of gasoline, diesel and jet fuel and impacted millions of businesses, consumers and travelers from Texas to New York.
The incident galvanized lawmakers, fueling one policy after another to ensure a national security threat like this wouldn’t happen again. The Department of Homeland Security issued its first-ever cybersecurity regulations for pipelines. U.S. agencies are now required to post a software bill of materials. The Cybersecurity and Infrastructure Security Agency ramped up its guidelines for zero trust awareness and improved frameworks. And a national cyber strategy wants to shift the burden of who is responsible for security.
Despite the government action, ransomware cases still went up in 2022 — 870 attacks against critical infrastructure entities alone. March 2023 broke ransomware attack records. Now, the Biden administration is seeking $26 billion in cyber funding for the 2024 fiscal year.
Two years have passed since the Colonial Pipeline incident, but not enough has been done to thwart future attacks like it.
The government can enact new guidelines all it wants — and they should be followed — but critical infrastructure organizations must still be more proactive to mitigate attacks. Right now, not enough are doing so and here’s how they can change that.
Update legacy hardware and systems
Outdated hardware and software leaves companies exposed to known vulnerabilities that make them easy targets for ransomware attacks. Despite this knowledge, organizations aren’t simply patching vulnerabilities or updating legacy tools. The result? Targeted attacks doubled in 2022.
The 2023 Ransomware Spotlight Report found that 76% of ransomware attacks in 2022 were tied to a known vulnerability made public between 2010 and 2019. CISA’s Known Exploited Vulnerabilities catalog contains 866 on its list.
However, this same report found that 131 known vulnerabilities associated with ransomware have yet to be added to the record.
Updating your systems one time isn’t enough; you must do it regularly as hackers continue to fine tune their tactics. Routinely analyze your entire IT estate to ensure you're following best practices around the National Institute of Standards and Technology cybersecurity framework and CISA zero trust maturity model.
Also, run vulnerability tests that are analyzed by all parties to continually identify new risks.
Basic multifactor authentication is a simple, yet effective measure that can prevent common types of ransomware attacks, such as those caused by exposed VPN passwords — which is what sparked the Colonial Pipeline attack.
One minor adjustment, and the attack could have been avoided altogether. However, currently less than one-third of companies use some form of MFA.
Enforce regular user training
It's easier to exploit a person’s limited knowledge of best cyber practices and gain access to sensitive information than it is to hack into the system itself — and malicious actors know this.
The human element continues to be a major driver in ransomware attacks: Verizon found 82% of all breaches involve humans through phishing, smishing or other errors.
The best way to mitigate the risk of breaches from human error is to regularly schedule user training around best practices in basic security measures. However, it can’t be the only line of defense against ransomware attacks.
Make sure your software systems are prepared and ready to handle human failures so they don’t get taken down from one mistake. That includes implementing a zero trust framework that features all elements of NIST and CISA guidelines.
Know how to handle an attack before it happens
Cyber gangs often target companies for financial gain, but when it’s against critical infrastructure entities, there are additional risks to national security.
Because of that, companies need a thorough response plan in place so employees understand what to do — and when to do it — in the event of an attack. Implement robust incident response plans that include business continuity and disaster recovery components, as well as other data recovery methods that are widely understood by company leaders.
These plans should be continuously reevaluated and tested regularly.
It’s also important to consider the timing of disclosing a breach or attack to make sure it is appropriate, without causing unnecessary panic or compromising the security of information.
Companies should have a clear plan in place for how they will communicate with their stakeholders and the public, including what methods of communication they will use.
Complacency will cost you
No matter how much has been done to secure critical infrastructure over the past two years, we can always do more. Constant vigilance is key, particularly at companies that, if hacked, raise national security implications.
Critical infrastructure organizations must continuously assess their security posture to ensure they are not leaving themselves or their customers' data exposed.
Regularly check for technology updates, continue to follow best practices around NIST and CISA’s recommended frameworks, run vulnerability assessments, and schedule user training to keep cybersecurity awareness intact.
Even with government policy, companies need to go one step further and remain proactive at all times. Not enough IT teams currently are, increasing the risk of sustaining a debilitating attack — not unlike that against Colonial Pipeline.