X
Tech

US pipeline ransomware attack serves as fair warning to persistent corporate inertia over security

That companies continue to disregard the need for basic cybersecurity hygiene signals the need for firmer action, especially as cybercriminals turn their focus to operational technology sectors and cyber threats can result in real-world physical risks.
Written by Eileen Yu, Senior Contributing Editor

Organisations that continue to disregard the need to ensure they have adopted basic cybersecurity hygiene practices should be taken to task. This will be critical, especially as cybercriminals turn their attention to sectors where cyber threats can result in real-world risks, as demonstrated in the US Colonial Pipeline attack. 

In many of my conversations with cybersecurity experts, there is a shared sense of frustration that businesses still are failing to get some of the most basic things right. Default passwords are left unchanged, frontline staff and employees are still falling for common scams and phishing attacks, and major businesses think nothing of using technology that are decades old

Just this month, UOB Bank revealed an employee had fallen prey to a China police impersonation scam that compromised the personal data of 1,166 customers, including their mobile number and account balance. This specific impersonation use case had been flagged as a common scam tactic and even featured in a crime prevention TV programme months before. That an employee of a major bank still could have fallen for it is shocking. 

It begs the question whether its frontline staff or any employee with access to customer data has been adequately trained as well as regularly updated on how they should deal with potential cyber threats. 

Should such inertia continue to fester, there's real cause for concern ahead especially as cyber attackers turn their attention towards operational technology (OT) sectors, such as power, water, and transport. As it is, businesses seem ill-prepared to cope with the growing threat. 

Consider the stats. Some 68% of businesses in Asia-Pacific were breached last year, up from 32% in 2019, and 17% had to deal with more than 50 cyber attacks or errors a week. And they took way too long to pick themselves up after an attack, with an average of 60.83% needing more than a week to remediate the attacks, citing lack of funds and skillsets as their key challenges. 

in Singapore, 28% had been breached in the past year, with almost 15% having to deal with at least 50 attempted cyber attacks a week. Some 33% described the resulting data loss as very serious or serious. 

Things will only get worse as businesses in the region and around the world rush to adopt tools that facilitate remote work, leaving their networks vulnerable to attacks. As it is, 54.7% viewed enabling and managing remote workforces a top ICT challenge and another 49.7% felt likewise about securing remote workers. 

As online adoption grows, supply chains will widen as businesses rush to cope with the spike in transactions. This means attack surfaces, too, will expand and it is crucial that enterprises get the fundamentals right to better mitigate potential security risks. 

When cyber risks become physical threats

And in the case of the Colonial Pipeline, the risks can be severe. 

The privately-held pipeline operator supplies 45% of the East Coast's fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military. It transports more than 100 million gallons of fuel a day across an area that spans Texas to New York.

The cyber attack forced the company to temporarily shut its operations and freeze IT systems to contain the infection. It triggered supply shortage concerns and pushed gasoline futures to their highest level in three years. It also prompted the US Department of Transportation to invoke emergency powers to make it easier to transport fuel by road.

Colonial Pipeline reportedly paid the ransomware group responsible for the attack $5 million to decrypt locked systems.

That it paid up shouldn't come as a surprise, since a majority of businesses in Asia-Pacific also choose to pay up after falling victim to ransomware attacks. These include 88% in Australia and 78% in Singapore that have forked out the ransom in full or in part. 

On its part, Singapore has recognised the risks cybersecurity attacks pose to its critical infrastructures. Early this month, it created a cybersecurity expert panel focused on OT, with the first meeting slated to take place in September. The move comes months after the country last October unveiled a new cybersecurity blueprint that looked to safeguard its core digital infrastructure. 

In particular, the government pointed to OT systems, where a successful attack can manifest as a severe disruption in the physical world. Such systems, including those in the energy, water, and transport sectors, are critical for delivering essential services and supporting the economy. 

In forming the OT expert panel, Singapore's Cyber Security Agency Chief Executive David Koh said: "While OT systems were traditionally separated from the internet, increasing digitalisation has led to more IT and OT integration. Hence, it is crucial for OT systems to be better protected from cyber threats to prevent outages of critical services that could result in serious real-world consequences."

The ransomware attack against the Colonial Pipeline has clearly demonstrated that the consequences are real and, no doubt, more are coming our way. 

That Singapore has put strong focus on OT is a positive step forward. And it is hoping the expert panel will provide some guidance on a range of issues, including governance policies, OT technologies, supply chain, threat intelligent information sharing, and incident response. 

However, with most of the industry still stuck in apparent inertia, firmer action is necessary to ensure businesses across all sectors, including OT, do not slip up. 

This should encompass even the simplest and most basic rules, such as outlawing the use of software that is more than 15 years old or mandating that all employees--including senior management--chalk up minimum training hours a year on cybersecurity threat management. 

In addition, all organisations that have encountered a security incident should be required to detail how their systems were breached. An abridged version of the attack, excluding specifics that can further compromise the company's security, also should be publicly released. 

It should no longer be sufficient for any company to simply say the attack was "sophisticated" without giving any other information to justify that description. 

In the Colonial Pipeline case, details have been slow to trickle out, with the US government yet to receive any information from the oil pipeline operator. The Biden administration had expressed frustration over what they perceived to be weak security protocols on Colonial Pipeline's part as well as well a lack of readiness to deal with cyberattacks.

It is clearly time for all organisations, not just those in Asia, to get a grip. Because if they don't, they won't just be losing millions in ransom payments, actual physical lives will be at risk. Transport and healthcare operators, in particular, should take heed. 

And with cybercriminals increasingly skilled in their craft, future attacks will indeed be so complex it will put to shame use of the word "sophisticated" that appears in almost every statement companies currently make to describe the breach they suffered.

Be better. Because when it comes to cybersecurity, that is what many businesses have yet to be.

RELATED COVERAGE

Editorial standards