back to article Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations

Stricken US bulk hydrocarbon conveyor Colonial Pipeline advertised for a new cybersecurity manager a month before that ransomware attack forced operators to shut down the pipeline as a pre-emptive safety measure. The job advert came to light in the wake of the ransomware attack, which shut down one of America's largest …

  1. A Non e-mouse Silver badge

    I'd have thought that getting budget and approval for cybersecurity will be quite easy for the new manager.

    1. YourNameHere

      Yep, I would think this Job Request would sail through the approval process now and get posted. I bet they may even be looking at the resumes that are coming in and forwarding them to the IT department real time.

      It would be interesting to sit in on the interview process as both sides ask questions to each other...

    2. Danny 14

      plus you get to blame everything on the last guy whilat pushing through 2FA, device screening, geolocking, closing VPNs and all the orher shady thinga that the business has relied on (but was a firewall swiss cheese hazard).

      1. Anonymous Coward
        Anonymous Coward

        Basic stuff like putting meaningful passwords on the industrial computers would be a good place to start. I have lost count of how many times I've seen manufacturers defaults being used - and left - because of the problem of cataloguing passwords on behalf of different engineers that attend a given site.

        Second tier stuff like the network topology and firewalling are a very close second step; and again, good luck with that. Most of these things have equipment of vintages from anything from WWII up to present day; often a mix of elecromechanical relays and more "modern" though not necessarily so long lived semicon systems.

        Hardware selection in the control arena is one of the hardest sysadmin tasks you'll ever find. Lifetimes of 20+ years are the norm, so cheap architectures are out of the question, IF you are serious about maintaining them that long. The former are actually very good from a security / long life perspective though so far out of manufacture they are a dying breed. Newer stuff, well; early-2000's capacitor plague is a thing, so many units installed even 20 years ago are bin fodder now.

        And support contracts are fun too, suppliers want you to get their latest and greatest IP connected box to sell you updates every 5 years. Almost the root of the problem, anyone?

  2. Doctor Syntax Silver badge

    Advertise for a cybersecurity manager and simultaneously advertise that you might not have had one previously. A bit like painting a target on your back.

    1. Pascal Monett Silver badge

      If I'm not mistaken, that target has already been bull's-eyed.

  3. NoneSuch Silver badge

    I suspect the compensation package will much more "generous" now.

    1. Mike 137 Silver badge

      Maybe not

      "I suspect the compensation package will much more "generous" now."

      Practically no organisation actually learns from data breaches or really adapts after them. They just fire and hire "responsible" personnel and then carry on much as before.

      As one who has attempted to improve security in numerous enterprises, I find that the fundamentals that underpin vulnerability are cultural, not technical. So taking on a new (or replacement) technical expert post-breach most likely leads not to improved security but to increasing frustration of the said expert as they establish that they can't get anything significant changed for the better because of management inertia.

      The prime example is Equifax, whose management processes were so sloppy that they couldn't even find out whether they were vulnerable having been alerted to the hazard, and they had let a primary intrusion detection mechanism cease to function for months without noticing. And that's just the pinnacle of a point haired pyramid of management failures. The specific exploit they fell foul of was just one of many possibles, given that their security was effectively unmanaged.

      1. SotarrTheWizard

        Re: Maybe not

        Tell me about it. The C-suite demanding admin access to their boxes, and the ability to install any software they want.

        Marketing demanding that they can access their personal email via a webmail client.


        Need I go on ??

      2. Anonymous Coward
        Anonymous Coward

        Re: Maybe not

        When somewhere close to my heart paycheque had a bit of a security "incident" lessons were most definitely learnt. Lots of changes, polices, etc were put in place to try and stop all sorts of nasty stuff.

        As a side effect it obviously raised the concept of cyber/information security within the company and so when things suit my needs I hitch my changes to that flag and get what I want pushed through (after years of having the same things kyboshed because no-one else cared).

      3. Marshalltown

        Re: Maybe not

        The issue with many security systems is that they necessarily implement some form of tighter access control. That has its upsides and downsides. It may very well be more secure to intrusion (physical or electronic), but if the implementation also makes it even slightly more onerous for the users and clients then 1) many users start to look for short cuts, or easier means of achieving an end; and 2) clients conclude the effort is worth less than the reward and start to look elsewhere. So, poorly implemented security measures from the point of view of those who have to deal them. People start writing down "more secure" gibberish passwords that are hard or impossible to memorize except by savants, meaning the "keys" to the kingdom can be on a thumb drive or a slip of paper.

        I used to war drive around the city where I live and the unsecured access points were most numerous in state government buildings. I pointed this to a friend who worked for a state agency and was actually responsible helping maintain security, eliminating viruses, trojans, etc. He told me that the biggest problem were work bottle necks, issues such as one printer available to anywhere from ten to some times 50 personnel! Bureaucracies run on paperwork. So people would bring a personal printer, usually run off an unauthorized personal router in order to meet deadlines. Effectively their wireless routers created back doors into secure systems. The security staff were running their legs off suppressing this, but the people committing the acts were also the most productive. So, they might be chewed out by a superior, but you can't shoot the cow and improve milk production.

        He said they were continually monitoring this (war driving themselves). There were other security problems as well. He had spent a month chasing a virus source that seemed to skip around town from one building to another, but always within the same unit. The head of said unit was complaining bitterly about this. In desperation my buddy created a board tracking dates of new outbreaks in places previously cleared, sometimes several times. It finally emerged that the very complaining supervisor had been carrying around a 3.5-inch disk from section to section of the unit to "backup work" and "monitor" work progress. The floppy was one from his home (to save the unit budget he said). Ultimately my friend had to physically catch the supervisor inserting the disk into and have him stop while the disk was scanned. Some of the unit sections affected had physical access limitations that required authorization before a person could physically enter the building or suite. So the problem was the fellow with the boss of the unit.

        1. Doctor Syntax Silver badge

          Re: Maybe not

          he "keys" to the kingdom can be on a thumb drive or a slip of paper.

          If the contents of the thumb drive are the database for a password manager such as KeePassX it's not necessarily a problem. The problem might be a keylogger in the device via which access is gained but that's not a problem specific to the password manager.

  4. Version 1.0 Silver badge

    I wonder if someone saw the advert, thought that they must be vulnerable, and sent an email, "I have tremendous cybersecurity experience, please follow this link to download my resume, it's encrypted so you will have to click OK to view it" ... ?

    1. Ken Moorhouse Silver badge

      Re: I wonder if someone saw the advert

      We will never know whether you are right or not, but it is highly plausible.

  5. TimMaher Silver badge

    Gold Waterfall?

    Someone's taking the piss.

    1. Chairman of the Bored

      Re: Gold Waterfall?

      I thought that, too. I also wondered if I am supposed to recall the golden shower Donald Trump [allegedly] got in Mother Russia.

      If so, hats off the the bloke who came up with the Gold Waterfall handle. I have respect!

  6. FuzzyTheBear

    Check Employment notices ..

    great tip for wanna be ransomwarists .. check company websites .. if they are looking for people in security , mark them as a possible target 8)

    1. sanmigueelbeer

      Re: Check Employment notices ..

      I would not be considering this as a "joke". I would even go much further by saying if the Cybersecurity position was the source of the "ingress", i. e. DarkSider submitted a compromised Word document disguised as a CV.

  7. A random security guy

    I wonder if oil companies made more money

    Just like in the Texas freeze, where some companies made a lot of money, I wonder if people made a lot of money off the scarcity and fear.

    Apart from that, they have to spend billions upgrading the equipment in the field. Why bother. That is the cynic in me. I see this every time.

  8. Jason Hindle

    Someone dodged a bullet

    Imagine having to deal with that first day on the job.

  9. badgames

    Obliviousness of management

    I worked in the electric utility industry on SCADA systems (power grid and generation control) and couldn't believe that they wanted management access into the SCADA system. Transfer as much data for analysis, playtime, etc. through one-way fiber (I don't hook up return line) to another system, but SCADA should be isolated, as should be any control system. Pointy hairs thought that was paranoid, but then they also wanted to run SCADA on Windows...

    1. Doctor Syntax Silver badge

      Re: Obliviousness of management

      "Pointy hairs thought that was paranoid"

      The first requirement for the job. Paranoia is essential, mere vigilance is not enough.

  10. Pascal Monett Silver badge

    "assuming it was filled before the attack"

    Whether it filled before or after the attack, the poor sod is going to have a helluva start.

  11. low_resolution_foxxes

    It also raises the question, was there a previous manager who was sacked?

    Wouldn't be the 1st IT guy who was kicked out and surprisingly a computer crisis shuts down the company.

  12. Morrie Wyatt
    Black Helicopters

    On the bright side.

    Whoever does end up with the job has a better chance of being listened to seriously when they point out security issues.

    Doesn't mean that they will follow through on any recommended actions though.

    There's always that managerial type person convinced that it will never happen to them. (Until it does of course. Then it is open season on scapegoats.)

    1. A random security guy

      Re: On the bright side.

      They will listen and do whatever they were doing before. The mandate has to come from the CEO and the board. Really the board has to politely tell the CEO that he needs to have the problem fixed. The CEO has to tell the yearly compensation and review committee that security has to be part of the employee KPI.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like