Tech audit of Colonial Pipeline found ‘glaring’ problems

[thackney]

Tech audit of Colonial Pipeline found ‘glaring’ problems
https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d
5/12/2021

An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

“We are constantly assessing and improving our security practices — both physical and digital,” the privately held Georgia company said in response to questions from the AP about the audit’s findings. It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial’s headquarters, acknowledged being among them. Colonial’s chief information officer sits on Rausch’s advisory board....

[thackney]

Statement from FERC Chairman Richard Glick: Chairman Glick and Commissioner Clements Call for Examination of Mandatory Pipeline Cyber Standards in Wake of Colonial Pipeline Ransomware Incident
https://www.ferc.gov/news-events/news/statement-ferc-chairman-richard-glick-chairman-glick-and-commissioner-clements

“The cyberattack against the Colonial Pipeline system, which provides nearly half of the fuel supply for the East Coast, is a stark reminder that we must do more to ensure the safety of our nation’s energy infrastructure.

“For over a decade, the Federal Energy Regulatory Commission (FERC), in coordination with the North American Electric Reliability Corporation, has established and enforced mandatory cybersecurity standards for the bulk electric system.  However, there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States. 

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector.  Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.  Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.

“Therefore, I am pleased that Commissioner Clements is joining me today in my longstanding calls for mandatory cybersecurity standards for our nation’s pipeline infrastructure.”

[thackney]

Executive Order on Improving the Nation’s Cybersecurity
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1.  Policy....

Sec. 2.  Removing Barriers to Sharing Threat Information....

Sec. 3.  Modernizing Federal Government Cybersecurity....

Sec. 4.  Enhancing Software Supply Chain Security....

Sec. 5.  Establishing a Cyber Safety Review Board....

Sec. 6.  Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents....

Sec. 7.  Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks....

Sec. 8.  Improving the Federal Government’s Investigative and Remediation Capabilities....

Sec. 9.  National Security Systems....

Sec. 10.  Definitions....

Sec. 11.  General Provisions....

[Cyber Liberty]

"Here come da regs!  Here come da regs!  Sock it to me baby, here come da regs!"