The Senate Homeland Security Committee held a hearing last week regarding the Colonial Pipeline fiasco (which has much wider implications than just one company cravenly paying off its attacker/rewarding its attacker for the attack).
Congressman John Katko (R, NY), Ranking Member of that committee also wrote a letter to Brandon Wales, Acting Director of the Cybersecurity and Infrastructure Security Agency, which is a part of the Department of Homeland Security. In his letter, Katko asked a number of questions regarding how well CISA works with its counterparts in other agencies and how well CISA’s inspections of the nation’s pipelines were going.
He also wrote optimistically
[T]he Pipeline Cybersecurity Initiative, housed within the National Risk Management Center (NRMC), has shown promise as a voluntary, public-private partnership between CISA, Transportation Security Administration (TSA), Department of Energy (DOE), and a range of pipeline-dominant critical infrastructure stakeholders. It is the Committee’s understanding that the core of this initiative revolves around conducting Validated Architecture and Design Review (VADR) assessments on pipeline assets.
These VADR assessments have proven effective at identifying a wide range of potential vulnerabilities within pipeline systems – some of which have been publicly distilled. Better understanding common security flaws and common misconfiguration issues is in everyone’s best interests, and these aggregated insights will help enhance national resilience.
It’s good to erect barriers that actually work.
Two things remain necessary, though. One is, once those barriers are set up, to go clean out the areas behind the barriers: to identify and remove existing malware from the operational and support software, to clean out the existing backups—both of software and of data—to improve training of human operators and support personnel regarding their role in preventing malware from reentering via phishing, spam, and so on, with more severe sanctions than heretofore applied to personnel who fail.
The other is to recognize that those barriers—software and human—will always be imperfect, will always become obsolete in the ongoing arms race between malefactors and targets, and will always need development, upgrade, and anticipation of future developments and potentials for attack.