Responding to the Colonial Pipeline Breach & CISA Ransomware Alert

Share This

Another development in the ransomware attack on Colonial Pipeline is the release of an alert from the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). The alert provides some best practices for “preventing business disruption from ransomware attacks.”

If you’re a critical infrastructure or industrial organization, or a government agency, you should certainly review CISA’s advice and use it as a guide to improve your defenses. It covers many of the basic tenets of securing your infrastructure. That said, advice is great and useful, but action is better and more impactful.

In essence, more needs to be done. And it needs to be done not just by asset owners, but also by governments

The Darkside ransomware is just the latest in a spike of ransomware attacks on organizations with significant financial resources. It led CISA to issue a new ransomware alert.

Beating Ransomware Requires Government Action

The FBI reports that ransomware attacks were up 20% in 2020, and even more tellingly, ransom demands rose 225%.1 And, according to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks in 2020, a 62% increase from a year prior.2

The damage caused by ransomware criminals is so substantial, both financially and to general confidence, that governments should be acting aggressively to deter future attacks.

For example, financial incentives could be made available to organizations to accelerate their cybersecurity upgrades. Governments could also provide defensive support during a breach, but more importantly, in a proactive, ongoing way.

One idea under discussion is to require organizations to share their information regarding threat intelligence and cybersecurity breaches. This is understandably causing some concerns and resistance. To alleviate this roadblock, governments could facilitate a framework and mechanisms with confidentiality and commercial safeguards in place. This would ensure that shared information is protected from public and competitive consumption and have the benefit of helping organizations learn from each other and respond quickly to threats.

Finally, governments need to hold threat actors accountable. They need to take the lead in shutting down threat groups and punishing the nations and entities that enable them. The stakes are too high to let ransomware operators impact the essential services that keep societies functioning.

In addition to the CISA Advisory, a new U.S. government Executive Order was released yesterday (May 12). We are glad to see that it is very proactive in requiring greatly improved cybersecurity standards and practices for U.S. federal agencies. It includes improvements in security information sharing between agencies and their software and cloud suppliers, requirements for the provision of Software Bills of Materials (SBOMs) from suppliers, and many other urgently needed advances.

For now, it’s good to see progress being made by the U.S. government as it tries to be more prescriptive. We are moving in the right direction. However, ransomware and cyberattacks of all kinds are a global tsunami. It is critical that similar legislation be issued by governments in jurisdictions around the world. We need all governments fighting against these threats to help the private sector, improve cybersecurity and hold ransomware threat actors accountable.

We’ll take a closer look at what the Executive Order really means for critical infrastructure providers in an upcoming post.

Owners and Operators: Adopt A Post-Breach Mindset Today!

Actions by governments take time to implement, and in the meantime, critical infrastructure is in the crosshairs of ransomware threat actors.

Owners and operators that experience a breach are 26% less likely to experience a second attack. They prioritize the cybersecurity conversation, mobilize budgets, and implement business continuity processes in a short amount of time. Their post breach mindset drives a dramatically lower likelihood of falling victim to a cyberattack.What if you could gain all these benefits without experiencing the trauma and losses of a breach?

So, what should you do now, if you haven’t taken action already? You, and your security and operations teams, should assume a post-breach mindset. Planning for failures in IT that can impact OT helps everyone understand what it takes to maintain operations, safely. When you are attacked, and you should assume you will be, you need to be ready.

To reduce ransomware impacts and improve your organization’s cybersecurity posture, shifting your culture
to a post-breach mentality can have a huge positive impact. It’s best to practice “We’ve been breached…now what?”


  1. “Internet Crime Report 2020,” FBI Internet Crime Complaint Center, 2021.
  2. “Annual Number of Ransomware Attacks Worldwide from 2014 to 2020,” Statista, April 13, 2021.
  3. “2018 Cost of Data Breach Study: Impact of Business Continuity Management,” Ponemon Institute LLC, October 2018

Demystifying the Colonial Pipeline Attack & How Ransomware Works

Learn about:

  • How the attack happened and who was responsible
  • Who DarkSide is, and what cybersecurity professionals should understand about them
  • What security practices you should put in place to counter ransomware
  • What recommended actions you can take to prevent future ransomware incidents

OT/IoT Security Report

What You Need to Know to Fight Ransomware and IoT Vulnerabilities
July 2021

  • Why ransomware is a formidable threat
  • Analysis of DarkSide, the malware that attacked Colonial Pipeline
  • Latest ICS and medical device vulnerability trends
  • Why P2P security camera architecture threatens confidentiality
  • How security cameras are vulnerable
  • Ten measures to take immediately to defend your systems

Let's get started

Discover how easy it is to identify and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.

Vantage IQ

The next generation of AI-powered analysis and response for critical infrastructure and industrial operations.   Register for Preview Event