Colonial Pipeline: Inherent flaws in the national cybersecurity strategy

Miles Tappin, VP of EMEA at ThreatConnect, explores why the recent Colonial Pipeline ransomware attack has exposed a significant weakness in the US national cybersecurity strategy

The recent ransomware attack on Colonial Pipeline should serve as a stark reminder to those responsible for critical infrastructure about the importance of security. Organisations must adopt a risk-led security strategy backed by a real-time decision and operational support system to mitigate and reduce the risk of future threats. This attack not only brought one of the US’s most vital energy infrastructures to a dramatic halt, but also revealed a critical flaw in the country’s cybersecurity strategy.

These new incidents should serve as a warning sign for critical infrastructure owners, operators, regulators, and the Department of Homeland Security. Although significant effort has gone into protecting industrial control systems over the last decade, they remain vulnerable to a range of cyber threats due to the interconnectedness between operational networks and businesses. These interconnections reveal the networks that underpin our economy and way of life – networks that are becoming increasingly vulnerable to sophisticated threat actors and cyber attacks.

The increasing sophistication and speed of nation-state attacks, combined with an ever-expanding attack surface, calls for organisations to urgently prioritise and accurately quantify and prioritise cyber risks.

The risk, threat and response strategy

President Barack Obama put the US on course to adopt a risk-led cybersecurity strategy in 2013 when he issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity. That was followed by additional measures put in place during the Trump administration. But it was the 2013 order that produced what became known as the NIST Cybersecurity Framework. The vision for the Framework was to create “a prioritised, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.”

Today, the Framework remains a “living” document. But even living documents are not sufficient to address the cyber risk prioritisation needs of critical infrastructures, and they are incapable of turning threat intelligence into action. The first step in defending critical infrastructure starts with understanding the strategic advantages of shifting to a risk-led security programme. Without understanding that risk is a business issue, not a technical issue, critical infrastructure owners and operators will likely not focus their resources on the right things.

That’s why the Risk-Threat-Response strategy is so vital. Business leaders who understand the risk, threat, response paradigm are better equipped to understand prioritisation and resource allocation.

Effective cyber threat intelligence programmes

Keeping pace with today’s advanced adversaries – specifically with the adversaries that matter most to your particular organisation – also requires a focus on cyber threat intelligence. Without this focus, this core security concern will remain for years to come. But to develop an effective cyber threat intelligence (CTI) programme, you need to constantly harvest and process knowledge about threat actors, not just specific incidents that impact your network—knowing the who, what, where, how, and when of the adversaries’ actions is the only way to decrease their chances of success. But the volume of intelligence is so massive that tracking and understanding adversarial actions can be overwhelming.

However, the difference between a good CTI programme and a great CTI programme is its ability to communicate value to the business in terms of risk. This is a realisation that many have come to within the threat intelligence community and a core reason why the discussion around cyber risk quantification is heating up in these circles.

A great CTI programme helps inform an organisation’s risk quantification platform by adding context and enriching understanding of threats and vulnerabilities. It aligns the entire business to the threats that matter most based on primary (initial response) and secondary loss (the damage to the company resulting from the breach) magnitude.

Connecting the dots between threat intelligence and operations

With highly sophisticated criminal and state-sponsored adversaries on the rise, businesses need to stay one step ahead. Over time, businesses and organisations being in a constant state of reacting to threats, vulnerabilities and incidents will be a recipe of disaster.

The result of threat intelligence driving orchestrated actions can create or enhance existing threat intelligence. As a result, a feedback loop is created — threat intelligence drives orchestration and orchestration enhances threat intelligence. However, having a risk-informed decision and operational support platfrom that can aid the owners of critical infrastructure in prioritising the risks that matter most and leveraging threat intelligence to drive orchestrated response is more important.

Connecting the dots between business and cybersecurity is an aspirational goal for those finding difficulty grasping where to begin, and this, in the critical infrastructure space, is something that can no longer continue.