This Isn’t a Wakeup Call, The Phone Has Been Ringing for Years

Georgia-based Colonial Pipeline which is the largest U.S. fuel pipeline system, was shut down Friday, May 7th because of a Ransomware attack. 

Recently, I have shared articles about the danger of cyberattacks on Operational Technology (OT) systems deployed in the Oil and Gas, Energy, and Manufacturing industries. As I worked to build a security program at a Fortune 500 steel manufacturing company, I felt like I was running against the threat of a cyberattack at all times. Our steel mills were now being operated by computers and software, not humans and large levers. When I witnessed my first ransomware attacks demanding bitcoin payment in 2016, I knew it was just a matter of time before these attacks would be felt by entire companies, cities, and now, possibly a region of the United States. 

Articles released this weekend about the Colonial Pipeline attack have characterized this event as a “wakeup call” for other companies regarding the threat of ransomware or other cyberattacks. I’m sorry to say, but the phone has been ringing off the wall for years with large-scale ransomware attacks. Most security leaders remember May of 2017, when over 232,000 computers around the world were infected with WannaCry ransomware in one weekend. The following year, we watched as the City of Atlanta attempted to restore their systems from backups. The original ransom demand was $51,000 but the city government spent over $2.7 million in recovery services. In 2019, we continued to see ransomware attacks on city governments, hospitals, educational institutions. In March of 2019, Norsk Hydro, a global aluminum manufacturer with operations very similar to my company's at the time, was brought to a standstill when a ransomware attack shut down 170 plants in 40 countries. The executives at my company and I watched closely as Hydro attempted to restore operations from backups, which took over 3 weeks and eventually cost the company almost $71 million.

Ransomware attacks have not stopped or slowed down. Organizations used to rely on an option of restoring systems from backups to avoid paying the ransom, but now cybercriminals are using an organization's stolen (often sensitive) data as extortion to collect ransomware payment.

Throughout 2016 and 2017, I spent quite a bit of time “selling” the need for investment in a cyber program to protect the organization "if" it became a victim of a cyberattack or data breach. The option of having a cybersecurity program should no longer be an option at all; organizations must face the fact that this is the time when a security program that includes cybersecurity, information (data) security, and privacy is a planned part of an organization’s operating budget. Cybersecurity is now a top risk to an organization regardless of industry, location, or size. An organization’s cybersecurity budget should no longer be a line item of the IT budget.

I have heard business leaders state that they can’t afford a security team at their company. In this climate of supply chain attacks and escalated and targeted ransomware attacks, companies can't afford not to invest in a security program. If a company cannot afford a dedicated team, there are Managed Security Service Providers (MSSP) who can provide necessary measures to protect an organization’s operations, data, and customers. Proactive security will always be more effective than the call to the “third party” to help an organization recover from an attack.

I wish Colonial Pipeline a swift and thorough recovery, and that we all continue to apply lessons learned from this latest attack.