The lessons to be learned from the Colonial Pipeline attack

Padlock - software security lessons
(Image credit: Shutterstock)

Last month, the operators of the Colonial Pipeline, which provides roughly 45 percent of the US East Coast with gasoline and jet fuel, were struck by a ransomware attack that forced the company to shut down. Within hours, attackers who identified themselves as DarkSide, a criminal cyber gang, took credit for the attack and threatened to leak sensitive information from the stolen data unless a ransom was paid in full by the business.

About the author

John Smith is Director of Solution Architects EMEA & APAC at Veracode.

While the attack in question was not a sophisticated one, it left large portions of the US East Coast without a supply of fuel, creating disastrous problems for millions of people in the impacted areas. It left many wondering why such critical IT infrastructure wasn’t better protected from the risk of cyberattack.

The hack came just months after high-profile breaches at software provider SolarWinds and code coverage company Codecov - attacks which themselves prompted the White House to publish an executive order to strengthen the nation’s cybersecurity. The order requires that all federal information systems meet or exceed certain standards and requirements, and will see the US government create digital safety standards in an attempt to mitigate the risk of potentially harmful cyber incidents.

The Colonial Pipeline attack

The Colonial Pipeline attack – coupled with the backlash in the wake of both the SolarWinds and Codecov attacks – has led many to wonder if the executive order is enough. This unease has prompted top executives from firms like Microsoft, Amazon and Cisco to call for an international coalition to combat the global increase in ransomware. Across the Atlantic, the European Union is also looking to enforce better security for critical infrastructure, with a draft bill to extend cybersecurity legislation to more industries, such as healthcare and financial services.

Yet, some are asking if it is happening fast enough. According to the 2021 Verizon Data Breach Investigations Report, ransomware and web application attacks were the most popular causes of data breaches over the past year. In fact, ransomware attacks increased by six percent, accounting for 10 percent of breaches, while web applications made up 39 percent of all data breaches and most of these were cloud-based – not surprising given the accelerated shift to digital during the pandemic.

Moreover, Verizon’s analysis found 54% of data breaches in EMEA were caused by web application attacks - the most common type of attack in this region and the highest proportion of web application attacks globally. The most commonly breached data type in EMEA was credentials, which goes hand-in-hand with web attacks. In an ideal world, public and private sector organizations would work together to prevent cybercriminals from being able to carry out these attacks in the first place, but this is far easier said than done. In fact, as is the case with the Colonial Pipeline attack, one big issue with prevention is that we typically don’t know how the attackers get in.

Security flaws

The majority of apps have at least one security flaw.

Veracode’s State of Software Security (SoSS) v11 report found more than three quarters (76%) of applications contain some sort of security flaw, and nearly a quarter of these are high severity. Since it typically takes developers six months to close half of the security flaws they find, it’s imperative that teams ensure they’re scanning apps regularly and consistently. Modern DevSecOps practices, such as using multiple application security scan types, working within smaller or more modern apps, and embedding security testing into the pipeline via an API, can significantly reduce the time it takes to close flaws.

There is clearly a need for structure and standardization of security in the software supply chain. With roughly 25 percent of the US executive order on cybersecurity focused on software security, vendors will be required to provide a Software Bill of Materials (SBOM) for each software product used by the federal government. Just as nutrition and ingredient labelling evolved over time as food products became more complicated and awareness of health risks increased, the government is now mandating transparency about what is in software.

The fact that a criminal gang can shut down nearly half of the United States East Coast’s fuel supply is a sobering reminder of the real-world implications of cybercrime. In the same way that a black box is examined to understand the cause of a plane crash, software and network security must be analyzed with the same vigor. The security of critical infrastructure is paramount and poses a huge threat to society if compromised.

The goal of software security isn’t to write applications perfectly the first time, but to find and fix flaws in a comprehensive and timely manner. Even in the most challenging environments, developers can take quick and easy steps to improve the overall security of an application. By shifting security left in the development lifecycle, teams can mitigate the risk of serious cyber incidents and instill processes that aim to make software ‘secure by design’.

EMEA Chief Technology Officer at Veracode.

Read more
Closing the cybersecurity skills gap
The critical need for watertight security across the IT supply chain
Security
Removing software supply chain blind spots that put public sector organizations at risk
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Representational image of a hacker
The 10 worst software disasters of 2024: cyberattacks, malicious AI, and silent threats
Hack The Box crisis simulation event
“Everyone will experience a hack” - how incident response can protect your organization
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Fortifying the UK’s energy sector: The cybersecurity imperative in an AI-driven future
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does