What is Infrastructure? The Colonial Pipeline Cyber Attack Tells Us

John McCumber

John McCumber is a cybersecurity executive, retired US Air Force officer, and former Cryptologic Fellow of the National Security Agency. In addition to his professional activities, John is a former Professorial Lecturer in Information Security at The George Washington University in Washington, DC and is currently a technical editor and columnist for Security Technology Executive magazine. John is the author of the textbook Assessing and Managing Security Risk in IT Systems: a Structured Methodology

Related Post Roulette

17 Responses

  1. Oscar Gordon says:

    Well, this is well timed, given the discussion starting on another post.

    So, was this a technology hack, or social engineering (i.e. DarkSide got someone inside to execute their ransomware for them, as opposed to DarkSide finding a security exploit through a firewall and gaining execution privileges on workstation)?Report

  2. Philip H says:

    In the intervening years, what hath our documents and partnerships wrought? The CEO of the private entity gets a photo-op with a senior government wonk as they shake hands over a piece of paper destined for long-term storage along the lines of the ending of Raiders of the Lost Ark. With all these documents and partnerships, one could be forgiven for wondering how a relatively basic ransom ware attack in 2021 was so successful against such a vital national target as a major oil pipeline.

    Many of us wondered the same thing about Russian troll farms interfering in the 2016 election, but we were poo-poo’ed because the Russians conveniently didn’t need to actually manipulate any votes to achieve their objectives.

    That aside, most public-private partnerships at the federal level still focus on what the private sector can gain at minimal cost to tax payers. And in the cyber realm, we really are not grappling nationally with threats as they are. There’s also the inconvenient issue that the federal government can’t pay as well as Google or Amazon Web Services, so we can’t recruit the best and brightest to work for the public good. That in turn means that the government isn’t well positioned to push back on the private sector when said private sector assures us “they’ve got this.” We only get the call when they don’t.Report

    • Oscar Gordon in reply to Philip H says:

      I could be wrong, but it always seems to me that the problem with public-private is that the public never holds the private accountable. When the private drops the ball, the public doesn’t go in for it’s pound of flesh, but instead kinda shrugs it off, and spends $$ and time writing up documentation on how to avoid it in the future, and those docs wind up in a doc vault in an old mine, never to be implemented.

      And when I say these things, I’m told private companies would never enter into such agreements if they were truly held accountable, even though they enter into such agreements with other private companies all the time.Report

  3. John McCumber says:

    I have lots of insider knowledge here. It’s rarely one or the other. It’s simply incompatible systems being asked to work together.

    True story: I met with a federal agency once who was working on such an agreement where private companies would send consultants out for ten days each to provide security consulting to smaller government entities. These private companies were charging up to $500/hr for their best consultants. Guess the quality of consultant the government received….

    Government had to dial back to 10 days of consulting for each engagement with these interns and bottom-rung consultants – barely enough time to locate the restrooms at the client site. The system never. ever worked as desired by the government.Report

    • Philip H in reply to John McCumber says:

      Let me guess – Firm fixed price contract with escalation clauses that the vendor expected to be exercised when it failed to deliver? And I’m going to guess the agency in question didn’t bother to do the paperwork to get these folks flagged in the federal contracting systems? Or for that matter never actually read the contract to see if the billed rate would actually result in the desired expertise? As a fed who does environmental science and personal services contracting periodically, I am always amazed at people not actually reading the bid package and then acting surprised when we don’t get what we wanted.Report

  4. Jaybird says:

    Apparently it was Boob Phishing.

    Report

    • InMD in reply to Jaybird says:

      Oh wow that is just excellent. I sent it to my cousin who is a CSO. Definitely going to give him a heart attack. I guess we all better update our phishing simulations for accuracy. Not exactly a fake e-mail from Bank of America.

      Also apparently every gas station anywhere near me is completely dry. I thought we were supposed to be leaving all of this behind in 2020.Report

      • Philip H in reply to InMD says:

        Yes well blame the people buying gas in trash bags for that. If people had stuck to their normal patterns we would have been fine. There’s storage at the end of each pipeline node and every gas station gets delivery based on orders which are based on use. No one would have run out if there hadn’t been panic buying.Report

    • Oscar Gordon in reply to Jaybird says:

      Our IT security group occasionally sends out real a$$hole phishing emails. They really look like emails from internal accounts, and all the links look legit, often only off by one character.

      I mean, internally, it would help if we didn’t have 5000 different internal domain names, which makes it real easy to make a link look legit.

      But CANSas? Seriously? I’d fire someone for that one.Report

  5. Kazzy says:

    Is this the kinda thing where anyone in the cybersecurity industry with half a brain could identify a solution to this that we could be confident in for the foreseeable future?
    Or is this the kinda thing where the bad guys are always going to be ahead of the good guys so unless we want to invest TONS in managing that, we just need to prepare for inevitable situations like this?

    If it is neither of those, which one is it closer to?Report

    • JS in reply to Kazzy says:

      “Is this the kinda thing where anyone in the cybersecurity industry with half a brain could identify a solution to this that we could be confident in for the foreseeable future?”

      Yes, but it’s expensive and would annoy users, and what are the odds that their company will suffer a problem before upper management cashed out their options and moved elsewhere?

      I mean some of it you can’t close — social engineering attacks. You can just train as best you can, do white hat attacks, and fire the dumbest people — or at least ensure the only thing they can open access to isn’t a problem for company.

      Other stuff, like building from the get-go with security in mind, keeping machines patched and up to date, running regular white-hat attacks or at least scanning your own password DB’s with simple scripts against stolen password databases and dictionary attacks, it’s all time consuming and costly and seems to offer no ROE while making employees complain about having to keep track of a keycard or token.Report

  6. Michael Cain says:

    Seven months ago we moved to a new city. The city has a municipal power utility. Our city and three other municipal utilities are the owner/customers of a power authority that generates and purchases electricity (also sells excess at times) and operates a transmission network. In 1999 the power authority recognized that they were going to have to put up a lot more sensors and control gear to handle things in the future. They bit the bullet and strung their own fiber so the control data network is physically separate. That doesn’t make it immune to outside hacking totally, but someone has do something wrong at the physical layer to open it up.

    The power authority also said to the owner/customers, “You know, we’re basically building fiber rings around your cities. Labor is much more expensive than the fiber itself. Perhaps it would be good if we put in big bundles of fiber and you could rent back the excess for whatever.” Three of the cities have 144-pair fiber rings; the smaller other, which has come damned close to being washed away or burned out in the last decade, has a 72-pair ring. The city my son lives in has finished their municipal high-speed internet build out. Mine is about half through. When they are done, I’ll be able to get symmetric 100 Mbps service for $48/month.Report