The ransomware hit against Colonial Pipeline Co. is likely to increase costs for cyber insurance and may prompt legislators to push tougher standards for critical infrastructure such as pipelines, energy grids, and water systems, attorneys and security professionals say.
The impact of the attack is likely going to ripple and drive up the cost of cyber liability insurance across the board, said Melissa Krasnow, a privacy and cybersecurity attorney at VLP Law Group LLP in Minneapolis.
“The cost of insurance is going up, and the coverage is less,” Krasnow said. “That trend is likely going to continue after a large-scale attack like this.”
The attack is a threat to national security, and should be a wake-up call that the status quo of hack detection isn’t working, said Andrew Rubin, CEO and founder of Sunnyvale, Calif.-based security company Illumio.
“SolarWinds should’ve been enough to get us to question our strategy,” Rubin said. “This attack is going to force us to question it.”
The attack may prompt insurers to tighten the types of incidents covered or require companies looking for insurance to adopt stronger security standards before purchasing a policy, said Brian Kint, a privacy and cybersecurity attorney at Cozen O’Connor in Philadelphia.
Corporate executives across industries are likely going to see the attack as an opportunity to look into their company’s own insurance policies, Rubin said.
Even if a company does have cyber insurance, the hack is likely to spur discussion as to whether existing coverage is sufficient, he said.
The attack may also spur lawmakers to look seriously at heavier regulations for critical infrastructure, including energy companies, Kint said.
“As hesitant as some legislators may be to regulate private industry, it may help bring into focus a conversation saying government needs to do something legislatively to make sure these companies are implementing proper security measures,” he said.
The Biden administration has so far been responsive in dealing with the attack, which is a promising sign, Dull said.
But companies should take a hard look at how interconnected their systems are with other businesses and vendors, and interagency coordination is needed going forward to better prevent and mitigate such attacks, he said.
“We need agencies to work together on the issue and clarify standards across the board, including a coherent plan from the Cybersecurity & Infrastructure Security Agency, Federal Energy Regulatory Commission, and Department of the Treasury,” Dull said.
Zero trust segmentation—building “compartments” so that if one part of an environment or network is affected, the rest of the network may be spared—should be adopted by companies in the energy sector and beyond, Rubin said.
Zero trust isn’t about preventing a security incident, but rather about preventing those incidents from becoming catastrophes, he said.
“The government’s reaction this week is going to be critical,” Rubin said. “They need to put this front and center and explain why this isn’t just another breach.”
The ransomware attack against Colonial isn’t the first hit against critical infrastructure, though it is one of the biggest. A Central Florida water plant was hit by cyberattackers in February, and bad actors have also targeted hospitals, municipal governments, and schools in recent years.
The Colonial incident fits into a broader uptick in ransomware attacks over 2020 and 2021, Krasnow said.
The pressure to pay a ransom and get systems back online may be more acute for critical infrastructure companies that provide services such as oil transportation, water treatment, and energy production, Krasnow said.
A company like Colonial manages sensitive data such as locations of oil containers, operating systems, and security measures, said Lior Div, CEO and co-founder of Boston-based security firm Cybereason.
“There’s a lot of information that you really don’t want to be out there,” Div said. “That gives the group leverage in negotiations.”
Companies such as Colonial must keep in mind guidance from the U.S. Department of the Treasury’s Office of Foreign Assets Control, Krasnow said. The group put out an advisory in October alerting companies that they risk sanctions if they facilitate ransomware payments with certain groups.
But companies are put in a difficult position because they can’t always tell who’s hacking them and whether that group is from an entity on the OFAC list, said Kyle Dull, a senior privacy and cybersecurity associate at Squire Patton Boggs.
“That complicates the payment picture,” Dull said. “I anticipate seeing more guidance coming from OFAC about what companies should do in these situations” following a large-scale attack like this, he said.
—With assistance from Bobby Magill and Dean Scott