NEWS: TECHNOLOGY
Cyberattack dos and don’ts By SAM BARNES
ISTOCK
You’ve been hacked. Now what?
T
he Colonial Pipeline Jeff Moulton, president and CEO ransomware attack last of cybersecurity research and service spring and its troublecompany Stephenson Technologies some aftermath sent Corp. in Baton Rouge, says ransomshockwaves through ware attacks, hacks, compromised the industrial world. The audacity of networks and data spills have become the perpetrators and impacts on the the new normal, and no one is supply chain were shocking. immune. “The whole paradigm has It was the most impactful cyberatchanged,” Moulton says. “You’re no tack on an oil infrastructure target in longer judged by the fact that you’re the history of the U.S. attacked; you’re judged on how you When the attackers took control of respond.” the computerized equipment managStephenson Technologies was ing its pipeline, Colonial halted created some seven years ago as all its operations to contain an applied research hub for the damage. That, in turn, LSU but has since begun prompted the Federal to operate independentMotor Carrier Safety ly from the university, Administration to issue as much of its work is a regional emergency classified. The entity declaration for 17 states recently moved into a and Washington, D.C. to 25,000-square-foot space keep fuel supply lines open. at The Water Campus in Jeff Moulton Colonial paid the requested Baton Rouge and is involved in a $4.4 million in ransom within several number of private- and public-sector hours of the attack. With FBI assiscybersecurity projects. tance, it was able to identify the crimMoulton says ransomware is the inal hacking group and recover more most common—and highly publithan half of the money it paid. But cized—type of attack. Unfortunatethe damage had already been done, ly, it’s being perpetuated by those as the experience had exposed some companies that pay the ransom. “The rather terrifying vulnerabilities in the attackers are now exploiting you in industrial and oil and gas markets. two ways—they make you pay to get 50 10/12 INDUSTRY REPORT • FALL 2021
your data back, and they’re making you pay so that the data isn’t shared on the Dark Web,” Mouton says. A particular vulnerability for industrial owners is the increasing connectivity between systems that manage back-office functions and operational processes. “If they’re connected, they’re vulnerable,” Moulton says. “There used to be no overlap, but because of economics it has become desirable to have one system to operate both. You’ve gained some convenience but increased your attack surface exponentially.” No company is immune from a cyberattack, he says, and size doesn’t matter. “They’re not looking for a specific thing,” he says. “They’re automated programs (auto scripts) constantly looking for vulnerabilities in any system. There’s not a person there targeting you, specifically.” Therefore, it’s just a matter of time. The difference, he says, is in how a company prepares and responds. CREATE A RESPONSE STRATEGY— BEFORE IT HAPPENS All companies should have a response strategy that identifies a crisis response team and defines key roles and responsibilities. It should also
identify a company’s critical assets. “What are those programs, services, processes etc. that you absolutely have to have to continue the business?” Moulton says. “Those get the attention first and you work your way back from there.” An owner should also have a readily available contact list with all applicable governmental institutions that need to be alerted following an attack, including law enforcement, the FBI, the Department of Homeland Security and others. “Mandatory reporting might even be on the horizon at some point,” he adds. Additionally, the legal team should assist in developing good internal policies and in the creation of a prepared external message. “Colonial Pipeline had their stuff together,” Moulton says. “They responded pretty well. Unfortunately, they didn’t understand the degree of the cascading impacts of the attack.” PRACTICE, PRACTICE, PRACTICE Simply having a response plan isn’t enough. A company should empower its response team to practice their response to an attack. “You need to practice a plan to become proficient,” he says. “You need to know who is going to do what, when, how and where.” As such, there needs to be a line item in the budget for the cyberattack response. “You need to allocate money for ‘after care’ measures,” Moulton says. “Have a budget in advance. Your action response team should have money up front to put the fire out.” Moulton admits that convincing upper management of the need for such a fund can be a tall order, but it’s a conversation that needs to happen. MAP THE DATA FLOW A company should know where its data is located and how it moves through the organization. In many cases, the data is managed by someone who is largely ignorant of the dangers and isn’t adequately trained. “If you don’t know how your data flows, you can’t protect what you can’t see,” Moulton says. 1012industryreport.com
