View from Washington: Colonial Pipeline’s teachable moment

Will the ransomware attack on Colonial Pipeline finally prove to be the wake-up call governments and industry have long needed over cyber security?

While extremely serious, the attack still was perhaps not as serious as last year’s SolarWinds assault on the US government (and, indeed, a number of its allies, including the UK). The difference is that the pipeline hack has been far more readily communicated.

Long lines of panic-buying East Coast drivers bemoaning continuously increasing pump prices made for a nicely concrete illustration of risk, particularly when compared to some ‘abstract’ digital theft of intellectual property or sensitive data.

Describing why that happened is also relatively straightforward: Colonial Pipeline shut down 5,500 miles of infrastructure serving roughly 45 per cent of the East Coast’s fuel needs because Russia-based cyber criminals locked the company out of its accounting system and it could not be sure that system was sufficiently fenced off from the operational systems controlling the pipelines themselves. The alarmingly basic shortcomings exposed are self-evident.

A third important strand is that a clear narrative that has had demonstrable social consequences has broken some of the shackles that previously confounded federal intervention.

The Biden administration quickly went on the offensive against the cyber criminals (Colonial’s hacker DarkSide had disappeared from even the dark web as this article was posted), but more significantly, it has moved forward on requiring its software suppliers to meet core cyber-security standards – creating de facto hallmarks of approval for the industry – and is openly discussing mandatory federal cyber-security standards for the private companies that own and operate the US’s energy infrastructure.

Ideas that were once seen as unwarranted impositions on the free market and its efficiencies suddenly look much more politically viable, even essential when some so-and-so seeks to get between an American and his or her steering wheel.

Globally too, Colonial Pipeline has earned column inches largely thanks to the US’s love affair with the automobile where other major infrastructure assaults have not. For comparison, one thinks most immediately of the attacks on Ukraine’s national power grid in 2015 and 2016.

So, yes, everybody, this looks very much like that wake-up call.

And let’s face it, as unwelcome has this latest US hack has been, it was also almost something that needed to happen and be widely reported. Because it is not as though today’s cyber-security risks are  unknown.

In a 2019 Siemens survey of energy infrastructure providers, 56 per cent acknowledged having already suffered a shutdown or loss of critical operational data.  Closer to home, the recently-released 2021 UK government Cyber Security Breaches Survey points to 39 per cent of companies having suffered a breach or attack in the last 12 months (down slightly from 2020, probably due to reduced economic activity during the pandemic).

Meanwhile, as more businesses become more digital (with utilities very much part of the trend), the surface that cyber criminals can attack is growing at a prodigious rate.

Some good news for the UK is that the IET itself is one of the 16 organisations behind the new government-mandated UK Cyber Security Council, formally established at the end of March. As well as building out a national cyber-security profession and promoting new practices and technologies, it will seek to influence and guide regulation. Events in the US highlight how important and increasingly pressing a task that is now.

This will supplement the work already done in promoting best practice, advice and alerts through the National Cyber Security Centre (NCSC) (its ‘Weekly threat reports’ are eminently bookmarkable), and the work of these organisations then highlights the fourth important aspect of the Colonial Pipeline attack: it became extremely public.

Cyber attacks are typically kept secret, mostly for reputational reasons, often because a ransom is paid (Colonial Pipeline did reportedly cough up $5m). The problem again here is that while we are repeatedly confronted with worrying numbers like those above, tangible and teachable examples of how bad things can get are much rarer – leading to the paradox that without them they will inevitably become less rare in reality.

So, assuming that you have found Colonial Pipeline entirely ‘gettable’, here’s a start:  the NCSC’s own quick start guides for everyone from families to large organisations. Can it really wait any longer?

Because one other datapoint from the Siemens survey does rather bring you up short. While 56 per cent of those utilities confirmed attacks, only 31 per cent said they felt confident about being able to respond to and contain a breach.