H Colonial Pipeline Hack

Two years since the Colonial pipeline hack. Any lessons learned?

May 11, 2023
"It turns out that the Colonial pipeline attack wasn’t a pivotal moment in cybersecurity, because nothing has really changed since then."

By Mark Stamford, CEO, OccamSec

It turns out that the Colonial pipeline attack wasn’t a pivotal moment in cybersecurity, because nothing has really changed since then. While the pipeline attack did get a lot of press coverage and put a spotlight on OT networks and critical infrastructure, both ransomware and cyber-attacks targeting OT infrastructure have continued unabated, and by many accounts have increased in frequency since Colonial. The City of Dallas was just hit last week with ransomware that affected several functional areas across numerous government agencies, for a recent example.

We want to believe that things are getting better, but the truth is—maybe—they are not. We spend millions of dollars on new security tools that never seem to work as described and continue to fail us over and over. After the attack, operational technology (OT)—the stuff that controls things like pipelines—came into focus and we learned just how insecure some of it is. That was followed by the usual infosec response of a spending increase, lots of articles, new tools, conferences, etc… as there was a rush to fill the perceived vacuum that needed filling (which was actually instead, a rush to create a vacuum in your wallet).

OT is used across industrial industries (originally used to describe power-utility systems, it’s now in all energy areas, water supplies, and other areas of critical infrastructure). These systems used to be standalone and isolated (at least way back in the early 2000’s when I was first looking at them) or they were using proprietary protocols that had to be understood separately to get anywhere. Now, however, everything is connected together and these systems are more likely to use the standard protocols we all know and love.

With this, the attack surface has only grown.

The attack surface also continues to grow in non-OT environments. We are in a time of multi-cloud architectures (AWS is cool, Azure is cool, Google Cloud is cool—let's use all of them!) and hybrid environments using on-prem systems being accessed by a wide range of devices. Combine all of this with SaaS applications, BYOD, third parties, supply chains, etc., and the potential avenues for problems grow exponentially.

Now let’s ask ourselves…did Infosec keep up? No. And ChatGPT is not going to solve it either.

Now that we are in a time of cutbacks, security is going to suffer—it’s a cost after all—so if anything we may see a rise in successful attacks. There’s so much fatigue across infosec groups everywhere, especially when it comes to an overload of security tools that add to the noise without actually improving anything. But security teams are stuck with them because they had to stick their neck on the line to get them approved.

The correct response to the pipeline hack would have been to take stock of where we are, accept that we need some changes, and go from there. Instead, again, just more of the same (we even have pay-to-play “intelligence sharing” organizations). The economics of the problem remain in favor of the bad guys—they make a profit by causing you problems. You (probably) make a profit, by spending less.

The economics of infosec, on the other hand, are really this—make a product, sell the product, sell the company. Done. So the majority of solutions start out with good intentions, but then economics take over and ultimately the customer suffers. In my last operational role, I bought various tools that were scooped up by bigger companies. We were told they would be supported, then one year later they were killed off.

Coupled to this the economics of selling certifications, which can help you land a “hot security job.” Some of these are worthwhile, others are not; if you can learn all you need at a boot camp, it’s probably not the best cert. This means we have a further problem of people without the requisite knowledge/skill/mindset deciding which of those tools to buy.

If things are going to get better, we have to stop doing more of the same. Successful security is about identifying business problems and developing solutions based on that. Furthermore, those solutions need to actually work. We need to confront the challenge of a constantly expanding, never-ending attack surface. We have to accept that the only way to maintain an effective cybersecurity posture is to try and be proactive (one of the infinite buzzwords, really, just use it to mean identifying problems where you can before someone else does).

Squeeze out the biggest bang for your buck, and spend that security investment wisely on what’s going to really help your organization. Small companies, in particular, have a minefield to navigate—they are either pitched security products that are slimmed down versions of what they really need, or oversold tools just to make someone’s quota.

You must test your defenses based on the real world, not just a checkbox exercise to meet a low-bar compliance requirement.

We have to realize there is no one-size-fits-all. There is no security silver bullet. What works for a large bank is not going to work for a small industrial company. Once we get comfortable with that, we will be in a better place to actually improve the situation. Every day can be a pivotal moment in cybersecurity if we choose to keep up the hard work of getting better.