- Recent ransomware attacks on key companies have wreaked havoc on US suppliers and consumers.
- Cybersecurity experts say that while these firms may be large in scale, they’re not necessarily high-tech.
- Large companies often have a mosaic of IT systems that can make them vulnerable to attack.
- See more stories on Insider’s business page.
In his Senate testimony during a hearing last week on the Colonial Pipeline cyber attack, CEO Joseph Blount said hackers had penetrated a legacy system that was protected by a single password, rather than multi-factor authentication.
“It was a complicated password – I want to be clear on that – it was not a ‘Colonial123’-type password,” Blount said.
In normal operations, the company, which runs the nation’s largest oil and gas pipeline, uses a more robust authentication process to make remote access more difficult, he added. “We take cybersecurity very seriously.”
But Blount’s testimony also showed that Colonial relies on a variety of different countermeasures to defend its systems – systems that provide more than half the oil and gas consumed by the East Coast. Last month’s ransomware attack on Colonial forced a nearly-week long shutdown of its 5,500 miles of pipeline, causing a ripple effect of gasoline shortages and panic buying across parts of the East Coast.
Colonial is by no means alone. Meatpacking giant JBS was hit with a similar attack, and recently disclosed that it paid $11 million to the hackers. The New York subway system and a Massachusetts ferryboat operator have also recently been targeted.
Indeed, the FBI is now working with more than 90 ransomware victims across a range of critical infrastructure sectors, deputy director Paul M. Abbate said in a press conference on the partial recovery of Colonial’s $4 million ransom payment.
The Wall Street Journal reported that that ransomware incidents have tripled in the past year, according to FBI and reports from the private sector. The chief information security officer for pharmaceutical giant Johnson & Johnson, told a WSJ event that her company experiences around 15.5 billion cybersecurity incidents per day.
Experts told Insider that some companies reliance on patchwork cybersecurity systems means there are gaps for hackers to exploit, and that leaves key services and supply chains vulnerable to attack.
“These perpetrators are looking for places where there are sloppy cybersecurity practices,” said Mark Testoni, CEO of SAP’s national security arm, NS2. “Every company has a mosaic of systems, and they might come from a number of manufacturers.”
In other words, a company’s investment in state-of-the-art locks and cameras on its front door could be rendered ineffective if the windows aren’t well-secured too.
Doug Schmidt, a professor of computer science at Vanderbilt University, said the challenge can be especially pronounced when firms acquire or merge with others that continue to depend on legacy systems, like software for a key piece of equipment that will only run on Windows 95.
“A given system may be fairly secure, but when you start connecting it to other systems that it really wasn’t meant to work with, that leaves all kinds of opportunities for neglect, error, and surprise,” he said.
This can be even more problematic in lower-margin, highly consolidated industries like food and some utilities where companies might see cybersecurity more as an expense than an investment, especially for those that don’t perceive themselves to be a target.
“Imagine how it must just be like taking candy from a baby to go and hack these low-margin businesses that are building incrementally, and have very heterogeneous long tails of inadequate, unsecured, chaotic, error-filled legacy information systems,” Schmidt said.
For Testoni, episodes like the recent ransomware attacks underscore the need for a change of mindset among business leaders.
“The most important thing that every company needs to understand is every company is now a technology company,” he said. “They need to think like they’re a technology company, and they have to protect both their digital assets and their physical assets.”
Every incremental improvement helps reduce the overall risk, Testoni said, and will pay dividends later as the world only becomes more heavily networked.
Deputy Attorney General Lisa Monaco echoed that sentiment in her remarks on the Colonial ransom case, calling on corporate and community leaders to “invest the resources now.”
“Failure to do so could be the difference between being secure now – or a victim later,” she said.