The critical lesson of the recent Colonial Pipeline incident is less about what was exploited and more about the lack of options operators had once the attack was known. A May 13 article on Cybersecurity Dive noted that, despite the fact that the hack did not affect the operations side, the decision to shutdown all operations had to be made because of the potential risk of malware migrating from IT to OT. Tom Alrich, a cybersecurity expert quoted in the article, noted that though such a risk may be minimal, “if it were to happen, the effects could be devastating.”
According to Yury Dvorkin, an assistant professor of electrical and computer engineering at the New York University Tandon School of Engineering who is quoted in the article, the Colonial attack has revealed a “gap” in critical infrastructure security. “While cyber intrusions can be identified in a timely fashion, that is before these exploits are operationalized to damage infrastructure, there is still a gap in cyber defense capabilities that would avoid the need of shutting down the entire infrastructure.” What is called for, he observes, are tools to analyze, localize and isolate cyber threats, “before they propagate and affect large portions of the infrastructure, thus increasing the likelihood of complete shut downs.”
The entire article can be read here.