Why is a Billion Dollar Pipeline Incapable of Defending Itself Against Ransomware?

[mystery-ak]

Why is a Billion Dollar Pipeline Incapable of Defending Itself Against Ransomware?

The person in charge has some serious explaining to do. This sort of risk didn't come from nowhere.

May 14, 2021|

12:01 am
Bill Blunden

    “This is why frontier life is so difficult.

    Not because of the Indians or the elements but because of the idiots”

    ─Samantha, from the movie Bone Tomahawk

As details emerge concerning the recent breach of Colonial Pipeline’s network the press has focused primarily on the fallout of the shutdown. In a manner similar to the coverage of events surrounding the financial collapse of 2008, the media’s collective spotlight is emphasizing the spectacle of the ensuing calamity and its scale rather than the underlying failures that enabled it. This indicates that an agenda is likely at work. Or maybe it’s just a twist of fate that all those bankers skipped off into the sunset with their annual bonuses?

Ransomware is a pervasive threat. Any chief information officer worth his salt will have the foresight to deploy the controls necessary to sufficiently raise the cost of attacks as well as limit the damage that they incur—particularly when it comes to protecting the American infrastructure. Entire frameworks have been designed for managing cybersecurity. They’ve been around for years. There is even guidance aimed squarely at the energy sector describing how to implement them. The security programs produced by these frameworks almost always involve essential activities like threat modeling and risk assessment, as well as performing table top exercises, penetration testing, and disaster recovery dry runs. It’s all about managing risk and forging a solid incident response playbook.

When leaders don’t cut corners frameworks yield results. For example, in 1991 the Federal Reserve of Minnesota successfully executed its disaster recovery plan after a water main burst above its data center. With the alacrity that comes from careful, deliberate, preparation the Federal Reserve’s emergency response team sprang into motion. In a matter of hours a backup data center in another city was brought online and began handling daily transactions thanks to the dedication of 50 employees. Based on statements from officials who understand its procedures, the Fed’s digital platform includes multiple layers of redundancy to the extent that it would probably take a nuclear first strike to knock America’s central banking system out of commission. And if the precautions taken during the Cold War are any indication, even that might not be sufficient.

more
https://www.theamericanconservative.com/articles/why-is-a-billion-dollar-pipeline-incapable-of-defending-itself-against-ransomware/

[catfish1957]

Truly anecdotal, but way back when I working as a Plant Environmental Manager, we had an regulatory agency inquiry around custody (monitoring)  issues on a section of valves around a pipeline station next to our plant. To resolve, and get details of ownership/operation(ship), I contacted their head enviromental contact in their company. 

I'll be nice, and just say that that person was less knowledgeable, and competent than my most junior engineer.

[Bigun]

“This is why frontier life is so difficult.

    Not because of the Indians or the elements but because of the idiots”

    ─Samantha, from the movie Bone Tomahawk

Yep! Entirely correct!  Anyone who thought it would be ok to use the internet for aiding control systems like these fits into the category of idiot!

[Bigun]

Truly anecdotal, but way back when I working as a Plant Environmental Manager, we had an regulatory agency inquiry around custody (monitoring)  issues on a section of valves around a pipeline station next to our plant. To resolve, and get details of ownership/operation(ship), I contacted their head enviromental contact in their company. 

I'll be nice, and just say that that person was less knowledgeable, and competent than my most junior engineer.

Have you ever been called on to interact with OSHA people @catfish1957?  THAT is an eye-opening experience I'll assure you!

[Cyber Liberty]

The pipeline company didn't want to do what it took, and chose to either cut corners or hire cheap IT people.  It's not complicated.  The large company I worked for was extremely concerned about the Goodnight virus, back in the day.  Colonial clearly did not think it was a serious threat.

[catfish1957]

Have you ever been called on to interact with OSHA people @catfish1957?  THAT is an eye-opening experience I'll assure you!

Over 30 years of dealing with OSHA, EPA, DOT, etc. and their state, (and local for Houston) counterparts.

Hands down the EPA pencil d__k's were the worst. Some of those bufoons were downright scary crazy with need for power and intimindation.

[Bigun]

Over 30 years of dealing with OSHA, EPA, DOT, etc. and their state, (and local for Houston) counterparts.

Hands down the EPA pencil d__k's were the worst. Some of those bufoons were downright scary crazy with need for power and intimindation.

I was involved in the aftermath of an industrial accident that took the lives 17 people years ago and can tell you that I have NEVER before encountered gross incompetence like I saw from the OSHA people involved in that. It was truly horrifying, and I mean that sincerely.

[DefiantMassRINO]

Because no executive gets a bonus for preventing a cyberattack that never happens.

[Cyber Liberty]

Because no executive gets a bonus for preventing a cyberattack that never happens.

And this is why Business Administration majors must never be allowed to be CEOs.  They only listen to the bean counters and never to the real people working productive jobs.  The corporation I worked for paid me a $2K bonus for making sure my lab was ready for Y2K. 

[Absalom]

Because modern Corporatism is synonymous w/bureaucracy and fat wallets;
having little, if anything to do w/creativity and innovation.
Doubt it? Reflect on the J & J embarrassment a moment.

[Restored]

Because no executive gets a bonus for preventing a cyberattack that never happens.

Pretty much it. Making it secure makes it difficult and difficult frustrates idiots. I know people who leave CPA's over secure document sharing to go to a CPA who emails their tax documents in the clear.
The reason the systems were open was it was just easier.

[corbe]

  Later it will be revealed that the head of their IT department is in transition.

[Sled Dog]

Over 30 years of dealing with OSHA, EPA, DOT, etc. and their state, (and local for Houston) counterparts.

Hands down the EPA pencil d__k's were the worst. Some of those bufoons were downright scary crazy with need for power and intimindation.

Certain parts of Ghost Busters were real....

[Cyber Liberty]

Certain parts of Ghost Busters were real....

You betcha.  Walter Peck was a really believable character.

[roamer_1]

Heard tell this was tied to an unpatched MSExchange exploit.

If anybody hears more along those lines, please ping me.