“This attack has exposed how poor our resilience is,” said Kiersten E. Todt, CEO of the Cyber Readiness Institute, a nonprofit organization. “We are overthinking the threat, when we are not yet doing the basics to protect our critical infrastructure.”
The good news, some officials said, was that Americans received a wake-up call. Congress came face to face with the reality that the federal government lacks the authority to require companies that control more than 80 percent of the nation’s critical infrastructure to adopt minimum levels of cybersecurity.
The bad news, they said, was that American adversaries – not just superpowers but also terrorists and cybercriminals – learned how little it takes to incite chaos in a large part of the country, even if they don’t break into the core of the country. electrical network. , or the operational control systems that move gasoline, water and propane throughout the country.
Something as basic as a well-designed ransomware attack can easily work, while offering plausible denial to states like Russia, China, and Iran, which often turn to outsiders for sensitive cyber operations.
It remains a mystery how Darkside first broke into Colonial’s trading network. The private company has said practically nothing about how the attack unfolded, at least in public. He waited four days before having in-depth conversations with the administration, an eternity during a cyberattack.
Cybersecurity experts also point out that Colonial Pipeline would never have had to shut down its pipeline if it had been more confident in the separation between its business network and pipeline operations.
“There must be an absolute separation between data management and actual operational technology,” said Todt. “Not doing the basics is frankly inexcusable for a company that transports 45 percent of gas to the East Coast.”