Let me tell you the lesson of the Colonial Pipeline case

Let me tell you the lesson of the Colonial Pipeline case
di Umberto Rapetto

Vi spiego la lezione del caso Colonial Pipeline

What is there to learn from the Colonial Pipeline case. The article by Umberto Rapetto, director of Infosec.news

The attack on the Colonial Pipeline will be remembered in history books as well as the Sarajevo attack of 28 June 1914. If the killing of Archduke Franz Ferdinand, heir to the throne of Austria-Hungary, and his wife Sophie marked the start of World War I, The digital assault on the cyclopean oil pipeline from Texas to New Jersey is intended to mark the fateful transition from a state of belligerence to a state of war itself.
The Executive Order on Improving the Nation’s Cybersecurity just signed by Joe Biden is no different from the sirens that once alerted the population to an imminent bombing and directed people to the air-raid shelters.
After the resounding cybersecurity incidents such as that of Solarwinds, Microsoft Exchange and now Colonial Pipeline, the President of the United States issues a provision that thunders as the first declaration of war against an invisible enemy.
The technological pitfall (animated by widespread mercenary and the “cyber armed forces” of the most active countries on this battlefield) It can no longer be overlooked and Biden points out that certain incidents show the inadequacy of federal action and the need for real and effective cooperation with the private sector which owns and manages much of the critical infrastructure within the United States.
The fact that companies decide on their own investments in IT security should be overcome by the launch of a coordinated action programme leading to increased and more aligned organisational efforts, technical and financial with the aim of minimising the risk of future disasters.
Firstly, the obstacles to the sharing of information on threats between government and the private sector must be removed. According to the Executive Order, ITC service providers must be able to share information with the Government ensuring a constant update on the threats detected and breaches of systems occurred.
It is essential to eliminate the reluctance of those who provide IT services to confess embarrassing situations and the “voluntary” sharing of all available information on possible compromises of data processing systems and communication networks has become urgent.
Biden speaks for himself. Certain silences due to contractual obligations or other agreements between private parties must disappear and there must be a conviction that an immediate and transparent dialogue with governmental institutions can allow the earliest possible adoption of security measures capable of safeguarding the nation as a whole.
The Executive Order highlights the role of the Federal Government in protecting “cloud” services and “zero-trust” architecture and imposes the implementation of multi-factor authentication and encryption: the text shows the awareness that obsolete security models and unencrypted data have led to the profound compromise of “more sensitive” computer systems in the public and private sectors.
Among the key points of the measure is the strengthening of the protection of the software supply chain. Security standards will have to be established and consolidated for the development of programs and applications for use by government entities. Developers will be required to give maximum visibility on instructions and codes inserted in the software with particular regard to what constitutes the security structure.
It must trigger a public-private process to develop new and innovative approaches and create the pilot program to create a type of label “Energy Star” so that the government – and the public world in general – can quickly determine whether the software has been developed securely.
“It’s too much software, including critical software, which comes with significant vulnerabilities exploited by our opponents,” says the White House press release.
The Executive Order shall establish a Cyber Security Review Committee, co-chaired by government and private sector leaders, which may meet following a significant IT incident to analyse the incident and make concrete recommendations for improving IT security.
We are aware that too often organizations repeat the mistakes of the past, do not learn the dramatic lessons from bad experiences, do not ask the uncomfortable questions that require even more painful answers, struggle to make changes and improvements.

The idea takes its cue from the model of the National Transportation Safety Board, the body that comes into the field after air accidents and other disasters, and is based on the creation of a “standard playbook” (ie on the provision of modular remedies pre-packaged and customizable) able to activate a rapid replication with a sufficient level of coverage of the problem with uniform and proven initiatives to identify and combat emerging dangers.
Particular attention is required to the activities of “detection”, or those aimed at detecting crisis situations, to circumscribe accidents, to foresee harmful operations that can compromise public and private networks and all the information resources of the American digital connective tissue.
Slowness, overlap, lack of coordination: these are the factors that expose a country to the risk of cyber aggression and only a harmonious and shared design at the most different levels can soothe the future.
el tempo perso finora in chiacchiere, convegni, protocolli d’intesa e altre “inutilia” di varia natura.
Article published on infosec.news