Stakeholder coordination still needs improvement a year after Colonial Pipeline attack

Nearly one year to the day since the Colonial Pipeline ransomware attack, U.S. officials say that cybersecurity coordination between the federal government and critical infrastructure is much improved, but departments and agencies are still working through how to coordinate their regulatory pushes with other stakeholders in and out of government.

The attack on Colonial Pipeline’s IT network by the DarkSide ransomware group last year, which pushed company officials to temporarily shut down operations, was followed in quick succession by ransomware attacks against major food supplier JBS and IT management software company Kaseya and thousands of its customers. Those events underscored how even discrete hacks of individual strategic infrastructure can cause broad disruption throughout the global supply chain. It also spurred the Biden administration and policymakers in Congress to take a much harder line when it came to regulating the cybersecurity of critical infrastructure entities.

“I think there were many [people] that were surprised by the fact that a ransomware attack on an IT system could result in the total shutdown of a major piece of infrastructure,” said Jason Tama, director of resilience and response at the National Security Council, said Wednesday at Hack the Capitol, a cybersecurity policy conference focused on industrial control systems.

That, in turn, led to new federal regulations last year touching a number of critical infrastructure sectors, including pipeline owners and operators, as well as the water and wastewater industries. But those requirements (which include mandates for companies to report hacks to the government and set up and test their own incident response plans) have come under criticism from some stakeholders who say they do not take into account the operational or technical realities of their individual sector and may hinder their ability to keep services up and running.

Others have argued that certain critical infrastructure entities, particularly smaller companies, face more basic resource, training and workforce challenges and need help, not fines or regulatory punishment, to address them.  

“No amount of regulation will help if a water system operator is unaware of the importance of basic cyber hygiene,” Steve Mustard, an ICS security consultant and board member for the Mission Critical Global Alliance, wrote this past February. “Furthermore, regulations place another burden on an already thinly stretched workforce. Regulation without training or support is not only ineffective, but it also distracts from addressing the real issues affecting a public water system.”

Takeaways for critical infrastructure, feds from Colonial Pipeline attack

When asked what if any lessons the federal government took away from that experience, Tama said the scramble to respond to the Colonial Pipeline attack and other incidents resulted in a multi-pronged response from the White House and different agencies. Tighter coordination of that process, as well as working closer with sector-specific agencies and industry stakeholders, will help develop more custom-fit regulations.

“If you’ve seen one sector, you’ve seen one sector: pipelines is different than water is different than medical. I really like [the emphasis] on critical functions, which is how we think about it at the White House,” Tama said in response to a question from SC Media. “I come back to my broader point on taking a look at our infrastructure protection framework. We constantly need to stress test that, we need to evaluate that, trust in our departments and agencies that have the expertise in those sectors to mitigate the risks that they best can working in close partnership with industry … and you balance that with frankly limited authorities and capabilities that vary by agency, and so sometimes that ends up in a little different approaches based on the authorities you have to try to put the finger in the dike.”

The Cybersecurity and Infrastructure Security Agency (CISA) is the civilian federal government’s primary vehicle for engaging and coordinating with critical infrastructure, but it has little regulatory power itself and so often must accomplish its goals through cooperation and coordination with both individual companies and designated sector risk management agencies.

Daniel Bardenstein, a tech strategy and implementation lead at CISA, said that there are some foundational cybersecurity performance goals that apply to most critical infrastructure sectors. Beyond that, improving the coordination process to give each stakeholder more time to weigh in and add their perspectives has been “a mission” for him and his team.

“There have already been cases where we become privy to efforts across government to bring some sort of harder hammer down from a cybersecurity perspective, and we can see the dots and connect to that and say, ‘Hey, how do we take a quick pause and make sure we’re aligning on these efforts before we have many different expectations across many different sectors?’” Bardenstein told SC Media. “Some [agencies] are much more well equipped, well-staffed and knowledgeable than others, and so there’s a bit of an asymmetry there.”

With Russia engaged in an ongoing shooting war with Ukraine and sanctions stand-off with the West, U.S. policymakers and cybersecurity experts have been urging vigilance as they brace for the possibility of increased volumes of ransomware attacks on U.S. critical infrastructure. While there’s no evidence yet that such attacks — which have been steadily ramping up for years, well before Russia’s invasion of Ukraine — are being intentionally targeted in retaliation, experts say the financial realities of ransomware make another Colonial Pipeline almost inevitable.

“I do think we’ll see another similar type of incident, because there’s been a full realization that operations that tolerate little-to-no physical down are lucrative targets,” said Danielle Jablansky, an operational technology cybersecurity strategist for Nozomi Networks, which focuses on industrial control system cybersecurity.