# Opener

Colonial Pipeline One Year Later: Are Critical Infrastructure Operators More Secure?

Published by Scott Kannry

Earlier this month marked the one-year anniversary of the largest cyber-attack on US critical infrastructure. In May 2021, DarkSide cyber actors successfully targeted Colonial Pipeline with a ransomware attack that shut down parts of its 5,500 miles of gas delivery between the gulf coast and the Nation’s East coast. The Pipeline, which transports millions of gallons of fuel a day to commercial gas stations, international airports, and military bases, went offline for nearly a week, causing chaos and panic throughout the region. The attack exposed several vulnerabilities within critical infrastructure and served as an alarming wake-up call to businesses and government officials. Even the average American began to understand how cybersecurity has real consequences on our everyday life and that the threat posed by this historic attack goes “beyond the pump.”

Ultimately costing Colonial an estimated $5.5 million, the attack has been recorded as one of the most significant disruptions to our country’s critical infrastructure by cybercrime. After learning of the initial breach, Colonial immediately reached out to the FBI and US Department of Energy to begin working on a solution alongside cybersecurity and remediation experts at FireEye, thus ushering in what has been called a “new era” in cybersecurity. A “new era” where the public and private sector, Congress, and the American people must work together to fight the “existential threat” posed by hackers.

In the year since the breach, we’ve seen a “seismic shift” in how the federal government and private businesses have approached cybersecurity. CISA Executive Director Brandon D. Wales described the Colonial incident as a “galvanizing event for the country,” which has led to a marked change in “the tone and in the willingness to fully engage” in shoring up cyber defenses. Rep. Yvette Clarke (D-N.Y.), who chairs the House subcommittee on cybersecurity, infrastructure protection, and innovation, said in a statement to The Hill:

“Last year, Colonial Pipeline suffered a ransomware attack from a criminal hacking group, halting pipeline operations and crippling gas supply across the entire East Coast…This highly disruptive cyberattack and the related fuel shortages exposed glaring cybersecurity issues facing the nation.”

Clarke noted a “bias towards action” that Congress and other officials have taken since the Colonial event. That action has included:

  • President Biden’s May 2021 executive order to improve federal cybersecurity;
  • The Department of Treasury taking action against cryptocurrency exchanges cyber criminals were using;
  • Bills put forth in Congress, including new reporting requirements for companies in critical sectors (attacks within 72 hours and ransomware payments within 24 hours);
  • The joint Homeland Security/CISA CyberSentry program to shore up the cyber resilience of organizations that own or operate critical infrastructure;
  • CISA’s stopransomware.gov – a catalog of known exploited vulnerabilities which consolidates information that companies can use to protect themselves; as well as
  • New authorities for both DHS and other interagency partners

Most recently, the SEC has proposed a detailed amendment to its rules that would require public companies to disclose “material cybersecurity incidents” within four business days. The proposed amendment reflects on the basic underpinnings of Axio’s platform – that cybersecurity is a problem that must be understood and managed from a business and financial standpoint. The measures outlined above and the new SEC proposal reflect what CISA has been encouraging companies to pursue all along. In order to protect critical infrastructure and financial investments, business decision-makers must understand their cybersecurity risk from an economic impact perspective. This viewpoint is vital to making the “right” decisions and prioritizing cybersecurity measures.

While the measures outlined above reflect heightened awareness and the greater level of cybersecurity engagement we need from the government and industry leaders, there’s still a long way to go. To achieve what Director Wales sees as a “baseline level of cybersecurity consistently across our critical infrastructure landscape,” we must contend with cyber threats from a risk-first approach. This approach aligns CISOs, executives, board members, and security team members with a shared understanding of the most important risks posed to their business. Axio’s platform is aligned with common risk-first frameworks such as NIST CSF and is designed to help decision-makers make informed business decisions, enabling them to maximize the ROI of their cybersecurity spending. With Axio’s Board of Directors Report, all levels of management can understand the business’ cybersecurity posture and interpret the technical details in financial terms. Axio’s generated reports are specifically designed to help business leaders unravel the most impactful risk scenarios specific to their company. Cybersecurity spending should be focused on the areas of greatest importance.

To learn more about how the proposed SEC Regulations may impact you and view examples of Axio’s Board of Directors Report, get our Axio Leadership Guide: Getting the Board Game Right. And if you want to see the Axio360 platform in action, try one of our 5 free assessments to evaluate your cyber program or request a demo of our full platform.