2 Years after Colonial Pipeline, U.S. critical infrastructure still not ready for ransomware

As the second anniversary of the massive ransomware attack on Colonial Pipeline nears, experts warn that efforts to thwart the potentially debilitating threat to US critical infrastructure have not been enough.

The cyberattack on its IT infrastructure forced Colonial Pipeline to shut down its entire operations for the first time ever, triggering a fuel shortage and price hikes that prompted four US states along the East Coast to declare a state of emergency. The incident immediately elevated ransomware to a national security level threat and galvanized concerted action from the Executive Branch down.

Since the attack — and another one shortly thereafter on JBS that threatened domestic meat shortages — the US government has said it would treat the use of ransomware on critical infrastructure as terrorism. An Executive Order signed by President Biden just days after the Colonial Pipeline attack mandated new security requirements for critical infrastructure organizations. And there have been numerous other initiatives at the federal level and by regulatory bodies to bolster resilience to attacks on US critical infrastructure.

However, two years on, the ransomware threat to critical infrastructure remains high, as a recent attack on America’s largest cold-storage provider, Americold, showed. The attack — like the one on Colonial Pipeline — forced Americold, to shut down cold-storage operations while it worked to remediate the threat. Last year 870 of the 2,385 ransomware complaints that the FBI received involved critical infrastructure organizations. The FBI’s data showed 14 of the 16 designated critical infrastructure sectors had at least one ransomware victim.

The trend continues unabated in 2023: BlackFog’s State of Ransomware Report for April 2023 showed ransomware attacks on healthcare, government, and the health sector are continuing to grow, despite other vendor reports of a slowdown in attack volumes.

Unfinished Business

Security experts view the situation as one where for all the work done so far, there’s a lot more to do.

Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House, ticks off several measures since Colonial Pipeline that she considers positive steps in the fight against ransomware. They include President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity, National Security Memorandum 5 targeted specifically at critical infrastructure control systems, and efforts to establish zero-trust cybersecurity models in federal agencies under M-22-09. Also notable are measures such as the Cyber Incident Reporting for Critical Infrastructure Act and the cybersecurity provisions in the Bipartisan Infrastructure bill.

The FBI’s systematic dismantling of the highly destructive Hive ransomware group is another indication of progress, Payton says.

What’s needed now, she explains, are more specific directives for critical infrastructure organizations. “We must evolve the minimum cybersecurity requirements for critical sectors [and enhance] standards for authentication and identity proofing to prevent ransomware incidents from occurring,” she says.

“Critical infrastructure organizations like Colonial Pipeline should adopt zero-trust principles to prevent ransomware attacks, especially as social engineering becomes more realistic, sophisticated, persistent, and complex,” Payton says.

To read the complete article, visit Dark Reading.