Press "Enter" to skip to content

Colonial Pipeline: the flaw known before, the new regulation, the lawsuit, and the trend

Let’s start by highlighting a piece over on the MIT Technology Review.    Here’s your summary – on January 11, Bitdefender announced a flaw in the ransomware that DarkSide was using.   Companies could download a free tool from Bitdefender to avoid paying ransoms.   The company, however, was not the first to find the flaw.   Two security researchers had already noted it, and were looking for victims to help… discreetly.       Bitdefender’s announcement was not unnoticed by Darkside, who publicly thanked the company in a statement.  “Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”   And, DarkSide unleashed a string of attacks… including on Colonial Pipeline.       Link in the show notes.

Speaking of Colonial, Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry.       Per the Washington Post,  “The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.”

Unrelated, A putative class action suit that charges Colonial Pipeline Co.’s negligence led to the ransomware attack that caused its pipeline to be shut down and to increased gas prices has been filed against the company.

Finally, FireEye has released new research highlighting that attacks against operation technology and control systems are increasing – but that the attack methods are not sophisticated.  

Why do we care?

Three reasons.  First, regulation.    This is the process.  The government first sets out guidelines which are optional, such as all of the guidance from NIST.  Then, it makes that guidance required when industry itself doesn’t fix it.  If you’re crowing that you don’t want government to step in and that industry self regulates… here’s evidence that isn’t true.   If the industry self-regulated, it wouldn’t have this problem.       The inventive structure isn’t there… just like the cheapest solution to waste disposal is dumping it in the river.    Society likes clean water, so government says you can’t do that.     

The second reason we care – security software companies are playing a PR game to tout their own solutions, and they are doing so with no skin in the game.     Let’s say a Bitdefender customer is breached… do they have any actual skin in the game for the damage?      I’m picking on them because of this sequence of events, but don’t think they’re alone.      I’m not advocating security by obscurity – keeping everything secret as protection doesn’t work.  That said, did that press release help customers?      

Third, negligence.       I made the prediction for this year that criminal negligence charges would be appearing over security incidents.      This isn’t quite that level – yet? – but it’s not hard to spot the trend here.     Why we care is risk management.    IT services companies are assuming this risk… and are the last ones holding the bag if something goes wrong.     That pressure is going to grow unless the dynamic changes.

FireEye’s report tells the key story – these attacks are not sophisticated.  In many cases, the basics aren’t done.     Do the basics, and know that taking on a customer who won’t take your guidance is more dangerous than it’s worth.