Energy pipelines are finally getting more respect and attention because of the Colonial Pipeline (CP) ransomware incident. We have been foreshadowing an event of this magnitude for several years. We have worked with many major energy suppliers to identify and model major risk events like the one suffered by CP as a basis for prioritizing their security and resilience investments. We are privileged to sustain trusted relationships with energy and utility organizations and trade associations, and we continue to unwaveringly stand by and support their complex cybersecurity needs. We have deep compassion for CP and we applaud the countless and heroic hours their team spent to restore operations.
It is unfortunate how last month’s panic and fear underscored the importance of assessing and preparing for cyber events for energy and utilities. 45% of country’s fuel is at risk became a strong and persistent media sound bite. Global 24/7 news coverage quickly shifted to finding the answer to the question, what could have been done differently? The word resilience kept being repeated in conversations with subject matter experts. When discussing the safety of our country’s critical infrastructure, cybersecurity leaders emphasized the necessity to understand impacts of the CP ransomware event ahead of time: physical, financial, and economic.
Cybersecurity has never been just about protection and defense. Our team said this a decade ago, when they designed and built the CERT Resilience Management Model (CERT-RMM) at Carnegie Mellon’s Software Engineering Institute. CERT-RMM is the foundation upon which many subsequent cybersecurity frameworks like CMMC have been built, and we envision its comprehensive coverage and structure to remain a beacon for effective cybersecurity and resilience strategies.
Appropriately, the conversation at RSA this year has been all about resilience as well, 100% aligned with Axio’s mission to solve cyber risk. While most cybersecurity vendors will focus on critical technologies for protection and defense, we continue to focus on sound cybersecurity and resilience strategies that drive investment in people, process, and technology to ensure enterprise leaders can sleep well at night, knowing their organizations are prepared and will survive. When you understand how much is at stake and why, the optimal investments in counter measures and risk transfer become clear.
It is important to remember that pipeline security events are not a new occurrence. Past events are often strong predictors of future risks. In 2018, a supply chain attack disrupted a customer transaction service for a network of U.S. natural gas companies—Texas-based Energy Transfer Partners, LP. The entire pipeline was shut down due to this IT-based, third-party event. In our interconnected cloud-first world, operational dependencies between IT and OT systems can quickly lead to operational impacts if not identified and planned for in advance. Examples of IT dependencies for OT operations include:
- The inability process customer orders.
- The inability to generate customer bills.
- The inability to view and manage projects/customer workstreams.
How did the CP attackers infiltrate the network? That information is yet to be determined and/or disclosed. What we do know is that the ransomware was deployed on the IT network. The CP event emphasizes how IT threats to an energy company can have monumental consequences to the function of operational technology (OT), causing an immediate disruption to business operations.
There are things you can do today to ensure your OT business operations remain functional even if your IT systems are compromised. If you want to see how to understand the impacts unique to your particular organization, and get the proper recommendations for improvement, we welcome you to get started in Axio360 Platform to assess your cybersecurity gaps and begin our Ransomware Preparedness Assessment.