The ransomware attack on Colonial Pipeline, with the attendant loss of ‘almost half’ of the eastern seaboard’s fuel supply, and the ensuing declaration of a state of emergency, is as vivid an illustration of the danger of failure to protect national infrastructure from hackers and ransomware as one could hope to get.
It is not for us to make observations to the United States about their approach to cyber security policies. But this incident does show the importance of the Network and Information Systems Regulations for this country and the member states of the EU.
The NIS directive was the less well known twin of the GDPR regulations, which came into force around the same time, in 2018. Under NIS, companies that own, manage or operate more than a certain percentage of a critical infrastructure e.g. water distribution, fuel, transportation, food, are designated ‘Operators of Essential Services’ (OES), and are required to take additional measures to ensure that their networks and systems are resilient against a cyber attack. These OES are scrutinised by their respective bit of government in tandem with the National Cyber Security Centre. If their systems do fail as a result of an attack, and it is found that they have failed adequately to have protected them, they can be heavily fined.
But relying on the private sector to police itself, to judge whether its own implementation of government standards is appropriate, will not work. Incentive to invest in cyber security measures is low because the evidence is insufficient to persuade sceptical boards of the need to invest more than the minimum – it is a cost after all. And it is often the case that those companies that are providing an infrastructural service lose sight of their importance to the end customer – the person at the fuel pump – as opposed to the onward distributers of the product several steps further up the chain.
While a €17 million fine under the NIS directive is unappealing to most companies, as well as being potentially fatal to smaller companies, it can be almost dismissed by the very large as a cost of doing business. It is time that regulators got tougher with companies that operate own critical part of the national infrastructure: food, fuel, transportation, electricity.
Ransomware is a fact of life; but it can be dealt with. It depends on three things: poor staff and management training around cyber security in general and ransomware in particular; continued payment of the ransomware allowing bad actors to persist in their belief that the return on the investment makes the detection risk manageable, and the poorly configured and patched system that will allow these exploits to succeed.
The fact that the eastern seaboard of the US facing a fuel shortage should be proof enough that something failed at Colonial Pipeline. Maybe they were just unlucky. For the UK infrastructure providers, and infrastructure providers everywhere, this is an object lesson: do not be tempted to sacrifice the integrity and availability of critical elements of the national infrastructure on the altar of shareholder return.
Instead of paying bonuses and dividends, invest in your people, your processes and systems – they can be your greatest defender. Just hoping the bad actors will not find you is no longer a valued defence. Making your systems difficult to enter, hard to navigate and tricky to exit without being exposed is critical. Talk to Astaara.
#Astaaracyber #Astaarariskmanagement #resilienceandrecovery