Responding to the Colonial Pipeline Breach & CISA Ransomware Alert

Responding to the Colonial Pipeline Breach & CISA Ransomware Alert

Another development in the ransomware attack on Colonial Pipeline is the release of an alert from the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). The alert provides some best practices for “preventing business disruption from ransomware attacks.”

If you’re a critical infrastructure or industrial organization, or a government agency, you should certainly review CISA’s advice and use it as a guide to improve your defenses. It covers many of the basic tenets of securing your infrastructure. That said, advice is great and useful, but action is better and more impactful.

In essence, more needs to be done. And it needs to be done not just by asset owners, but also by governments

Beating Ransomware Requires Government Action

The FBI reports that ransomware attacks were up 20% in 2020, and even more tellingly, ransom demands rose 225%.1 And, according to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks in 2020, a 62% increase from a year prior.2

The damage caused by ransomware criminals is so substantial, both financially and to general confidence, that governments should be acting aggressively to deter future attacks.

For example, financial incentives could be made available to organizations to accelerate their cybersecurity upgrades. Governments could also provide defensive support during a breach, but more importantly, in a proactive, ongoing way.

One idea under discussion is to require organizations to share their information regarding threat intelligence and cybersecurity breaches. This is understandably causing some concerns and resistance. To alleviate this roadblock, governments could facilitate a framework and mechanisms with confidentiality and commercial safeguards in place. This would ensure that shared information is protected from public and competitive consumption and have the benefit of helping organizations learn from each other and respond quickly to threats.

Finally, governments need to hold threat actors accountable. They need to take the lead in shutting down threat groups and punishing the nations and entities that enable them. The stakes are too high to let ransomware operators impact the essential services that keep societies functioning.

In addition to the CISA Advisory, a new U.S. government Executive Order was released yesterday (May 12). We are glad to see that it is very proactive in requiring greatly improved cybersecurity standards and practices for U.S. federal agencies. It includes improvements in security information sharing between agencies and their software and cloud suppliers, requirements for the provision of Software Bills of Materials (SBOMs) from suppliers, and many other urgently needed advances.

For now, it’s good to see progress being made by the U.S. government as it tries to be more prescriptive. We are moving in the right direction. However, ransomware and cyberattacks of all kinds are a global tsunami. It is critical that similar legislation be issued by governments in jurisdictions around the world. We need all governments fighting against these threats to help the private sector, improve cybersecurity and hold ransomware threat actors accountable.

We’ll take a closer look at what the Executive Order really means for critical infrastructure providers in an upcoming post.

Owners and Operators: Adopt A Post-Breach Mindset Today!

Actions by governments take time to implement, and in the meantime, critical infrastructure is in the crosshairs of ransomware threat actors.

Owners and operators that experience a breach are 26% less likely to experience a second attack. They prioritize the cybersecurity conversation, mobilize budgets, and implement business continuity processes in a short amount of time. Their post breach mindset drives a dramatically lower likelihood of falling victim to a cyberattack. What if you could gain all these benefits without experiencing the trauma and losses of a breach?

So, what should you do now, if you haven’t taken action already? You, and your security and operations teams, should assume a post-breach mindset. Planning for failures in IT that can impact OT helps everyone understand what it takes to maintain operations, safely. When you are attacked, and you should assume you will be, you need to be ready.

To reduce ransomware impacts and improve your organization’s cybersecurity posture, shifting your culture to a post-breach mentality can have a huge positive impact. It’s best to practice “We’ve been breached…now what?”


  1. “Internet Crime Report 2020,” FBI Internet Crime Complaint Center, 2021.
  2. “Annual Number of Ransomware Attacks Worldwide from 2014 to 2020,” Statista, April 13, 2021.