By Francis Cianfrocca, CEO and Founder
The Colonial Pipeline hack may finally be the wake-up call that cybersecurity experts have been waiting for. A number of recent attacks have targeted vulnerabilities in OT, ICS, and supply chains, but they have mostly been of the “hybrid” variety (crossing over to create their impacts in the IT realm). Colonial is perhaps the first attack that generated widespread and highly visible impacts directly in the cyber-physical realm.
It’s long past time for this class of attack to be recognized. It’s not the nature of the impact that matters (although ransomware and how to respond to it are a good subject for another blog), but the fact that defenses against cyber-physical attacks are incredibly weak and inadequate. This has been a screamingly urgent problem for years now.
A relatively small subset of cybersecurity professionals specialize in the unique risks to industrial processes and critical infrastructure. An even smaller set focus on the national security aspects. Having trained a good number of these people myself over the past five years, I can tell you for them that the cyberthreat to OT and critical infrastructure is of extreme concern because of the openness of these systems to attack.
They are in near-despair over the difficulty of getting business and government leaders to recognize this exceptional risk to revenue, safety, and our economy as a whole. After Colonial, such willful blindness should not be acceptable.
Other aspects in the risk equation are the knowledge required to exploit industrial cyber-vulnerabilities, which is high, but not at all beyond the reach of nation-states. Another aspect is the motivation of the attackers. Once restricted to nation-states, who will hold their fire until we go to war, the requisite knowledge is now filtering down to the criminal class of cyber-attackers.
This development makes the overall threat far more urgent but not less dire. The nation-state threat is pervasive. Our adversaries know more about our critical infrastructure than its owners and managers do. THIS SITUATION MUST END.
The very biggest problem here is that the owners and managers of cyber-physical systems have been unwilling to see these vulnerabilities as critical and uniquely dangerous. Cybersecurity professionals have been tearing their hair out over this for years now. We must stop accepting that “doing more with less” is just the way our business works. If corporate risk managers, CEOs, and directors aren’t willing to address this critical risk, then perhaps regulators must step in.
Along with the now-obvious risks, the Colonial episode highlights another extremely salient aspect of the problem: the lack of up-to-date technology. The bad guys are pulling ahead, but today’s risk managers are making do with an older generation of tools sold by deeply-entrenched vendors who see cybersecurity as a cash-cow business and thus feel no need to fundamentally upgrade their products.
As a result, cyber-defenders are stuck with tools like firewalls, SIEMs and vulnerability scanners that cost embarrassingly more than the value they deliver. Plus, the antiquated methodologies required by these old-fashioned vendors and tools require armies of trained experts, who are in very short supply. The fact that none other than Colonial has been struggling to fill senior cybersecurity positions in recent months shines a bright light on this problem.
We need two things, immediately:
1. Better toolsets, based on artificial intelligence and deep behavioral analytics, that can STAY AHEAD of the bad guys instead of merely cataloging vulnerabilities that were old-hat three years ago; and
2. We need senior leaders, directors, regulators, and governments to light a fire under us all and start spending the money needed to fix this problem.