Colonial Ransomware Attack to Put Cybersecurity in the Spotlight
By Andy Wright & Cathy Landry
The Colonial Pipeline outage came amid a wave of new cyberattacks, with several more sophisticated and far-reaching than ever before. Over the past year, roughly 2,400 ransomware attacks have hit corporate, local and federal offices.
Despite calls for increased regulations to bolster cyber defenses following the Colonial Pipeline attack, Congress has a long and unsuccessful record of addressing cybersecurity threats. Previous efforts to mandate minimum standards of software security have failed to get through Congress, even after some notable and far-reaching attacks. Small businesses have said the changes are not affordable, and larger ones have opposed an intrusive role of the federal government inside their systems.
But this latest attack could mean Congress and regulators take action to introduce mandatory cybersecurity standards for all businesses and industries, including the liquid terminal industry. Already, the Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time to prevent a repeat of the Colonial Pipeline outage, an incident that highlighted the vulnerability of critical infrastructure to online attacks.
DHS' Transportation Security Administration is expected to issue a security directive shortly, requiring that pipeline companies report cyber incidents to federal authorities, the Washington Post reported May 25. TSA would then follow up in the coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked. The agency has offered only voluntary guidelines in the past.
Most businesses and many cybersecurity experts say mandatory standards could prove detrimental because they would require companies to focus on historical threat types instead of innovating and improving security to address the next attack. They say cyberattacks are rapidly evolving and companies need to remain nimble to protect systems.
President Biden Signs Cybersecurity Executive Order, Congress to hold hearings
Movement on regulations and legislation could be slow. So, stepping into the current void of regulation, President Biden on May 12 signed an executive order focused on helping both the public and private sectors prepare and combat malicious cyberattacks. According to the White House, the Order aims to:
- Remove barriers to the sharing of threat information between government and the private sector
- Modernize and implement stronger cybersecurity standards in the federal government by allowing it to secure cloud services to replace outdated security models
- Improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available
- Establish a cybersecurity safety review board (modeled on the National Transportation Safety Board that investigates plane crashes) co-chaired by government and private sector leaders, that will convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity
- Create a standardized playbook and set of definitions for cyber incident response by federal departments and agencies
- Improve detection of cybersecurity incidents on federal government networks
- Create cybersecurity event log requirements for federal departments and agencies
The order is part of a broad effort to strengthen the United States’ defenses by encouraging private companies to practice better cybersecurity or risk being locked out of federal contracts. But the bigger effect may arise from what could, over time, become akin to a government rating of the security of software products, much the way automobiles get a safety rating.
Although the new policies and standards in the executive order will apply only to federal governmental agencies, there are still important implications for companies that do business with the federal government and for the private sector in general. For example, the Executive Order directs the federal government to develop a standard set of operational procedures to be used in responding to cybersecurity vulnerabilities and incidents. Even if this standardized approach is voluntary for the private sector, the White House stated that the playbook would “provide the private sector with a template for its response efforts.” To avoid legal liability, private sector entities are likely to choose to follow this playbook in any cyber incident responses.
The Order was hailed by former Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs, who said the order “dramatically increases security expectations of the software products that are sold to the federal government." The former top cybersecurity-focused federal official also noted that he thinks that “it's a really ambitious plan. I think it should be effective if implemented properly.”
Thus far industry has been cautiously optimistic about Biden’s order. Companies say the standards outlined could bring much-needed clarity to a confusing patchwork of existing federal cybersecurity standards, especially for companies doing business with the federal government. However, industry groups have cautioned that, as always, the devil is in the details. Defining security requirements for federal agencies and their software providers is a difficult task. Until those details are fleshed out, it is impossible to say if the order will move the industry toward a safer system.
Meanwhile, Congress isn’t letting the Colonial Pipeline outage pass without review, announcing May 24 that that Colonial Pipeline CEO Joseph Blount, who has run the pipeline for nearly four years, will appear in a virtual hearing of the House Homeland Security Committee called "Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure" on June 9.
ILTA Shines Spotlight on Cyber Over the Past Few Year
ILTA has shone the spotlight on cybersecurity for its members for over the past few years, and that work should aid the terminal industry in bolstering cybersecurity defenses and advocating on behalf of the industry with regulators and Congress as moves to increase mandatory regulations increase.
In just the past year, ILTA has hosted a cybersecurity expert for its Board of Directors, hosted a cybersecurity webinar for its terminal members in March, held a panel at its 2019 conference, held ongoing sessions at its quarterly Environmental, Health, Safety and Security meetings. In addition, cybersecurity remains a focus of the ILTA Security Committee.
These efforts are a down payment on what is likely to become an increasingly important issue for the terminal industry.