Colonial Pipeline Cyberattack Fuels Questions, Comments, and Concerns

When I first saw the news Saturday morning about the ongoing ransomware attack on Colonial Pipeline Co., my thoughts immediately turned to my work with boards on cybersecurity: what should board members be asking the C-suite about cybersecurity in light of an attack of this magnitude?

But my thoughts rapidly moved from theory to practice: I happened to be traveling across the Southeast when the US Department of Transportation announced that fuel could be delivered by trucks outside of restricted driving hours in states that might be impacted by fuel shortages. (Colonial is the largest pipeline supplying gasoline, diesel, and jet fuel to the East Coast.)

The rest of the weekend was spent checking Twitter for more information and wondering what might be happening at the gas stations on the route back to DC—and, of course, what might be happening inside Colonial’s boardroom and its server rooms in Alpharetta, Georgia and along the East Coast.

The Colonial Pipeline attack is just one example of the wide-ranging impacts—to companies, their customers, and the general public—of what former Cybersecurity and Infrastructure Security Agency director Christopher Krebs called a “ransomware wknd.”

But how does this attack compare to, say, 2020’s SolarWinds hack? I reached out to Nora M. Denzel, a director at Advanced Micro Devices, Ericsson, NortonLifeLock, and Talend, and soon to be a member of NACD’s own board, for her perspective. “Colonial Pipeline was a targeted attack against a single company to get ransom. The SolarWinds hack was a supply-chain hack perpetrated against thousands of companies and government agencies,” Denzel said in an email interview. “We may never know the whole extent of the SolarWinds hack nor how and when computers will malfunction because of it. It’s like the difference between having one, self-contained malignant tumor that can be removed by paying a ransom and having many, many benign tumors that can become cancerous at any time and whose whereabouts are largely unknown.”

“As a board, our job isn’t to predict the next big risk that will occur, but to ensure that the time between the event and recovery from the event is optimal,” Denzel continued. This in mind, board members of companies of every size and sector can do their part to secure their enterprises by asking four key questions:

1. Has our company patched the known vulnerability that led to this ransomware attack? Per a statement to the press by Anne Neuberger, deputy national security advisor for cyber and emerging technology, the US Federal Bureau of Investigation (FBI) released an email “Flash Alert” to critical infrastructure owners and operators with details necessary to mitigate the issue—which has been known since October 2020—that led to the attack. The specific issue was identified as the DarkSide ransomware-as-a-service variant, Neuberger noted.

In a ransomware-as-a-service attack, a malware developer shares its malware with criminal gangs who then use it to attack others. “I think of it as ransomware at scale using this model—the attacks will come more often and become more sophisticated,” added Denzel. Neuberger, meanwhile, said that agencies are working together to decrease the effectiveness of ransomware, “and that begins with greater resilience, particularly within critical infrastructure networks.”

2. What is the state of the backup of our company’s critical data? “We’ve moved from thinking about a single black swan to thinking in terms of banks of black swans,” said Denzel. “Boards need to understand the resiliency of the company. How fast can a company get back to normal once disrupted by a cyber event?”

Indeed, ransomware attacks on private-sector organizations have dramatically increased in conjunction with the start of the COVID-19 pandemic. Does your company’s security C-suite have key data securely backed up in the event that the data is held hostage by encryption?

3. Does our company have a policy in place regarding ransomware payment? As a privately held company, Colonial is not required to (and has not) disclosed if it paid a ransom. In the past, the FBI and other agencies have advised against paying ransoms, although the growth in adoption of cyberinsurance policies and other risk mitigation practices complicates the blanket “avoid payment” advice. Neuberger indicated that the federal government is reconsidering its advisory policy as a result and said there are ongoing discussions about creating national guidelines on ransomware payment.

4. In the event of an attack, does our information security team know who in the federal government to turn to for assistance? As of midday Monday, Colonial had not accepted the help of the federal government to mitigate the ransomware attack. However, it was cooperating with key regulators at the Department of Energy and with the FBI to safely restore operations of the pipeline and understand whether the ransomware attack breached the company’s industrial control systems.

This attack will only increase the likelihood of greater regulatory attention, which will impact the work being done by your board and security teams, and NACD invites its director community to commit to deeper cybersecurity understanding to help turn the tide toward resilience. Join us at the Cybersecurity Continuous Learning Cohort on June 2 and 3 for our kick-off Foundation Program; you can attend this program alone or alongside several months of additional programming that includes virtual briefings, a tabletop exercise, and a self-paced course.

At the kick-off event, you’ll hear from Denzel as she interviews author and New York Times cybersecurity and espionage investigative reporter Nicole Perlroth; have the chance to ask the “good guys” at the US Secret Service and FBI your questions about getting ahead of attacks; participate in breakout sessions on topics such as the growing intersection of cybersecurity and physical security; and better understand board-level principles for building resilience for your own company and for organizations around the world and across the United States.

In the meantime, Denzel notes that boards should assess the full spectrum of cyber risk: not only prevention, but more importantly the detection of cyber risks and having a plan in place for once an attack occurs. And as the proliferation of cyberattacks will cause directors and officers insurance premiums to increase dramatically, boards should lock in their rates sooner rather than later and ensure that the policies are robust enough to cover more destructive and longer-lasting incidents.

Also consider setting up a Zoom chat with your friendly local chief information security officer and audit committee chair to discuss the questions above. They might be busy directing the patching of your networks, but forewarned is forearmed, and it would be a video chat well spent.