On May 7, Joseph Blount, CEO of Colonial Pipeline, authorized a ransom payment of $4.4 million to Darkside, a cyber criminal gang believed to be based in Eastern Europe. Executives at Colonial were forced to make decisions quickly and with a lack of information they were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back. Operators of the Colonial Pipeline learned the Company was in trouble when an employee found a ransom note displayed on the screen of a control-room computer. This cyberattack underscores the growing impact of cyberthreats on industrial sectors and the fact that attackers are now specifically targeting critical infrastructure to increase their profit.
It is impossible to determine the target or nature of the next cyber attack, but all critical infrastructure industry executives should be asking themselves the same question right now: where is my baseline? Executives don’t know the who, what, how, where or when of the next attack, but all companies can raise the baseline on their cyber resilience posture. Companies that have invested in creating a higher level of cyber resiliency are working from a different baseline and have put themselves in a better position to respond quickly and effectively to reduce cost and risk. These companies will have the information they need for faster, more efficient decision making. Companies that prioritize and invest in creating cyber resiliency as part of their cybersecurity posture are effectively removing risk from the inevitable next cyber attack.
Establishing the initial cyber resiliency baseline is a core step of the Structure Cyber Resiliency Analysis Methodology (SCRAM) developed by MITRE. The goal is to answer the question what can we build on? This is accomplished by reviewing current capabilities, policies and procedures already in place, cybersecurity solutions deployed, and gaps to achieve relevant cyber resiliency goals. As illustrated in the SCRAM document, the result of this activity can be recorded in a scorecard:
In the context of the Colonial Pipeline ransomware incident, the crucial parts of the baseline to review are:
An efficient approach to build the initial baseline is to use the Colonial attack as a scenario to engage with relevant subject matter experts (SMEs) in your company. Once the baseline has been defined, then a gap analysis can be conducted in order to create and implement a cyber resiliency plan.
The World Economic Forum published this week a guidance document on cyber resiliency that presents 10 key principles that executives in the industrial sector should understand and adopt. In particular, principle #7 states that:
"The board ensures that management supports the officer accountable for cyber resilience through the creation, implementation, testing and ongoing improvement of cyber-resilience plans, which are appropriately harmonized across the business. It requires the officer in charge to monitor performance and to regularly report to the board."
Capturing the initial baseline plays a crucial role to create such plans, since it enables all stakeholders to develop a common understanding on which a path to higher cyber resiliency can be defined. This is important to build alignment among business units and across all levels of the organization.