Colonial Pipeline Hack:
Failure in Risk Management
Colonial Pipeline Hack: Introduction
Colonial Pipeline, a major U.S. energy company, was hit with a ransomware cyberattack on May 7th, 2021, which forced it to halt all operations on its major pipeline that delivers roughly 45% of all fuel consumed on the east coast.
Why was this a case of negligence? Risks for all business scandals, like the one at Colonial Pipeline, are always known months in advance, making the consequences preventable. For example, a forensic finding made during an evaluation of Colonial Pipeline noted numerous known and preventable vulnerabilities, such as unpatched and outdated systems, that likely led to the security breach.
Ransomware attacks, in which hackers lock up computer systems (usually by encrypting data) and demand payment to free up the system, are a global problem regardless of size or sector. In recent years, these attacks have affected everyone from banks and hospitals to universities and municipalities; almost 2,400 organizations in the United States were victimized last year alone.
The CEO of Colonial Pipeline disclosed that they needed to pay the ransom because they were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back. The less prepared you are when responding to an incident, the more likely you’ll be forced into paying ransom. That’s why insurance premiums are increasing exponentially for those organizations that cannot provide evidence of an effective ERM program that has strong controls and a robust Incident Response program.
Adhering to compliance regulations, while important, is only the minimum operational standard. Even if your organization is operating in full compliance with all laws and regulations, you’re not protected from poor outcomes or liabilities due to negligence. Most energy sector compliance regulations are focused on the energy production equipment and the environment, leaving the business operations side without regulatory scrutiny. As with this case at Colonial Pipeline, the demandware that shut down the pipeline was likely from their business operating environment, which interfered with them from operating the production side where regulatory compliance oversight is currently focused.
With strong Enterprise Risk Management (ERM), nearly 100% of all liabilities can be avoided. ERM fosters effective governance programs that identify and prevent system misconfigurations, poor patch management practices, and weak password management. These are just a few examples where highly skilled systems and network administrators commonly commit unintended mistakes.
Here are 5 areas susceptible to major human errors that cause liabilities due to negligence (liabilities that are entirely preventable with ERM):
Effectively responding to incidents allows swift notification and subsequent remediation action to prevent small incidents from becoming major disasters. There are different notification requirements for each state, federal and international jurisdiction. A failure in your incident response can cost you 4% of your annual revenue.
To prevent liabilities when a business continuity event occurs, it’s critical to take a risk-based approach. This ensures that you understand what the most critical processes to your organization are that need to be prioritized to get back up and running to minimize impact. Having evidence of an effective ERM program that includes business continuity planning, such as having back-ups that are secure and regularly tested, not only minimizes downtime, but shows that you took action to prepare for a damaging incident like a demandware attack. This is especially important when considering the additional scrutiny and cost of SOC II and regulatory audits that are based largely on the strength of an organization’s ERM program.
3. Risk Assessments & User Access Reviews
Having a password policy is not enough; studies show that 60% of employees reuse passwords across various online platforms, share passwords with others, save passwords to their computer, use obvious passwords, or fail to update their passwords regularly. Strong Enterprise Risk Management with processes for reporting on tasks, backed up with workflows, escalations, and sign-offs, ensures managers review passwords on a regular basis and escalate issues and track these issues to resolution. This will also uncover poor management of privileged user accounts. High privilege accounts are sometimes poorly managed, especially those belonging to admins. They are protected with inadequate security controls, and in some cases are rarely updated. Having multi-factor authentication also limits unauthorized users to access data. Admin accounts should also be limited to alter or access only a few specific sections of the entire infrastructure.
Unauthorized users having access to corporate devices is an extremely common and preventable cause of negligence. Surveys show that 55% of professionals let their friends and family members access their employer-issued devices. This can be mitigated with clear policies requiring attestation by users and ensuring corporate devices have two-factor authentication to access sensitive data.
Misdelivery and accidental disclosure of Protected Health Information (PHI) is entirely preventable. Employees sending an email containing PHI to the wrong recipient is common without proper controls in place. Enforcing encryption can help against accidental disclosure. Consider using pop-up dialog boxes to help remind senders to double-check the recipient’s address, especially when sending sensitive data. Furthermore, using Data Loss Prevention (DLP) solutions can help limit information leakage when data is sent out of the corporate circuit.
Conclusion
No matter your industry, size, or geographic location, falling victim to a cyberattack is devastating on all fronts – and the last thing you’ll want on your plate in the wake of a crisis is a legal battle for claims of negligence.
Implementing sound Enterprise Risk Management helps you increase the effectiveness of your risk mitigation strategies by engaging all departments in your efforts. By preventing human error, you’ll keep your organization better protected from cybersecurity threats and negligence, and ultimately better prepared for success.
About the Author: Steven Minksy
Steven Minsky is a recognized thought leader in risk management, CEO, and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services, and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.