It has been reported that the Department of Homeland Security has announced new requirements for U.S. pipeline operators to bolster cybersecurity following Colonial Pipeline ransomware attack. In a statement, DHS said it would require operators of federally designated critical pipelines to implement “specific mitigation measures” to prevent ransomware attacks and other cyber intrusions. Operators must also implement contingency plans and conduct what the department calls a “cybersecurity architecture design review.
<p>This is good news. Anything that gets us better secured is a good thing. It will also likely not work. Why? Because it is hard to be perfect and every organisation is already trying to do computer security perfectly. Adding another requirement on top of all the other requirements and regulations overtop of what they already know they should be doing is likely not going to result in being significantly more resilient to cyber attacks. It cannot hurt…but it is not likely to be the final nail in the coffin that defeats all malicious hackers and malware. Well, what then will it take? For one, we need to make it harder for malicious hackers and malware to hide. Hackers hack and spread malware because they either cannot be traced or cannot be arrested and punished when caught. A malicious hacker is more likely to be struck by lightning, twice, than to get arrested for hacking.</p>
<p>We need to significantly secure the internet itself, to make it more secure by default. We will stop more bank robbers when we stop allowing so many banks to be robbed and for all the bankrobbers to get away. There are ways to make the internet significantly more secure. I have written on this topic for decades and recently re-submitted plans for how to do so to CISA and other internet security groups. We have the technology. We do not have to re-invent the wheel. We just need the right people in the same room and a true willingness to solve the problem. I do not want to undersell how hard it is to get people to agree on anything, much less how to fix the internet. But it is not a technical problem. It is a sociological problem…it is a human problem. One day, some digital 9/11-type event will happen to the internet, and when it does, enough enemies and competitors will come together against a common foe that we actually get the support to push the new technology. The technology is there. We are just waiting for agreement. Until we get a far more secure internet and global agreement on digital crimes, we will fight malicious hackers and malware. One more regulation on an industry is not going to change the problem. How do I know? Because we have had three decades of increased regulation and the problem is only getting worse each year.\"<img class=\"CToWUd\" src=\"https://ci5.googleusercontent.com/proxy/2XD3d_u92tuuimm9AWHJGU-vt34wLrE2JJVv5qYWLvuG1frPH4sCyA4p6XgjvSvvafE5uwAMl5y3T5sf3p5waz5emKB9jgnB5p5Lz1qgWXzkCBXaxY8rdvX1aUPGEIrwSnLW6q2eFTotPHlXCdCEo_hqNk4PCnTGan3QLvxlLK-YMPq6ZfXgmJfbltjp7gD3nve_DQG6sU74gWACIWB0cVdiUoc06RzyO9ZLTHebZF0YClOIOKkM3wdXHsMSsQk2gZQHPvuD1OQNnAdUZK1rdPGixRvew4gzio57wwBPtnK3RpHiQ9-IHgM3C_-MNKnNhXj2S1gGnbm9UsM5cwVyLlrbKwiOcmfB7tazFONelBS3xYcrkfLZgLNE-QxUqDhCRwXwGvd0KoKVeZusfgtk0uuk_JP2kY0fyamZNp8RJTNuFMEtdUCHNP4OEVNGm6qXtzaWFFImxp7HPKG5IlTj6m891peGx8Dmmo85ISW3pUrIXLTXmBzG4NzHcMU1L_cEbdtKWJ_EQPbGzAtBgCBCgGN8ga4XU2SFvoVtjh7EzrVvms_HXyEnhh–TLqONCRI5gk6n65JMY_qHUaWHLyTFQx5zpjq1dvj0kSgjFPfEqez3KkMeCmsDyM=s0-d-e1-ft#https://u7061146.ct.sendgrid.net/wf/open?upn=CwffFhHzH-2F8AytMf4pRK8PqLSPZ8NCqxlAclJe3h8Vsy0MdHwJqp5xwJH41tlwXzBeKrQMWiCt6eTu4dpsuA9EFO0TpfZe7eEIr5gfPVUCjYIjfnB76XpwyQlNOz4F-2FvDd8Oi7oCbpVwO50Mddg-2Bbmg2cKip9bio8dFsjyZAqQgRcUqX8Dd6S-2FC7o6lBicmx8tNVrvlGd4aQ8-2FcnNoSYQAldOMGzeOvu6vOGdV9VVmZv0BgA9-2FnmRYkQX5E5iKAe5zUcrQOaoGwxj0JbKtyfibWTVtAsGZfGOO137lI1YHqbHPFisx4fGm-2BHR1Z71-2BlxbzG-2FMgkioOzIbEU0lfBDPJ37pt92ikW-2B4-2BcJfCCX2gyguc7zUyAimbFw-2B4H1IzY1\" alt=\"\" width=\"1\" height=\"1\" border=\"0\" /></p>
<p>In the case of Colonial Pipeline, the pipeline operations were halted due to the inability for the operator to bill customers. While this particular attack didn’t affect OT systems, Colonial Pipeline reportedly did fear that the attackers gained information allowing them to potentially attack OT areas of their operations. In the OT/IT evaluations that I’ve conducted over the past 12+ years, I have observed many violations of basic security concepts. This is particularly the case in industries largely free of directed regulation (unlike the financial industry, for instance). Some of the standard security controls include asset inventories, secure configurations, network segmentation, incident response and disaster response planning, technical solutions around backup and recovery, network and host protection technology (e.g., NIDS, AV, DLP). Security hygiene practices around incident response and disaster response are key when it comes to ransomware attack potential in terms of business continuity and damage control. If a system is impacted by an attack, with a strategy in place, organisations are better positioned to minimise the effects of finding themselves helpless to the demands of the ransomware attackers.</p>