Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations Stricken US bulk hydrocarbon conveyor Colonial Pipeline advertised for a new cybersecurity manager a month before that ransomware attack forced operators to shut down the pipeline as a pre-emptive safety measure. The job advert came to light in the wake of the ransomware attack, which shut down one of America's largest …
Yep, I would think this Job Request would sail through the approval process now and get posted. I bet they may even be looking at the resumes that are coming in and forwarding them to the IT department real time.
It would be interesting to sit in on the interview process as both sides ask questions to each other...
Basic stuff like putting meaningful passwords on the industrial computers would be a good place to start. I have lost count of how many times I've seen manufacturers defaults being used - and left - because of the problem of cataloguing passwords on behalf of different engineers that attend a given site.
Second tier stuff like the network topology and firewalling are a very close second step; and again, good luck with that. Most of these things have equipment of vintages from anything from WWII up to present day; often a mix of elecromechanical relays and more "modern" though not necessarily so long lived semicon systems.
Hardware selection in the control arena is one of the hardest sysadmin tasks you'll ever find. Lifetimes of 20+ years are the norm, so cheap architectures are out of the question, IF you are serious about maintaining them that long. The former are actually very good from a security / long life perspective though so far out of manufacture they are a dying breed. Newer stuff, well; early-2000's capacitor plague is a thing, so many units installed even 20 years ago are bin fodder now.
And support contracts are fun too, suppliers want you to get their latest and greatest IP connected box to sell you updates every 5 years. Almost the root of the problem, anyone?
"I suspect the compensation package will much more "generous" now."
Practically no organisation actually learns from data breaches or really adapts after them. They just fire and hire "responsible" personnel and then carry on much as before.
As one who has attempted to improve security in numerous enterprises, I find that the fundamentals that underpin vulnerability are cultural, not technical. So taking on a new (or replacement) technical expert post-breach most likely leads not to improved security but to increasing frustration of the said expert as they establish that they can't get anything significant changed for the better because of management inertia.
The prime example is Equifax, whose management processes were so sloppy that they couldn't even find out whether they were vulnerable having been alerted to the hazard, and they had let a primary intrusion detection mechanism cease to function for months without noticing. And that's just the pinnacle of a point haired pyramid of management failures. The specific exploit they fell foul of was just one of many possibles, given that their security was effectively unmanaged.
When somewhere close to my heart paycheque had a bit of a security "incident" lessons were most definitely learnt. Lots of changes, polices, etc were put in place to try and stop all sorts of nasty stuff.
As a side effect it obviously raised the concept of cyber/information security within the company and so when things suit my needs I hitch my changes to that flag and get what I want pushed through (after years of having the same things kyboshed because no-one else cared).
The issue with many security systems is that they necessarily implement some form of tighter access control. That has its upsides and downsides. It may very well be more secure to intrusion (physical or electronic), but if the implementation also makes it even slightly more onerous for the users and clients then 1) many users start to look for short cuts, or easier means of achieving an end; and 2) clients conclude the effort is worth less than the reward and start to look elsewhere. So, poorly implemented security measures from the point of view of those who have to deal them. People start writing down "more secure" gibberish passwords that are hard or impossible to memorize except by savants, meaning the "keys" to the kingdom can be on a thumb drive or a slip of paper.
I used to war drive around the city where I live and the unsecured access points were most numerous in state government buildings. I pointed this to a friend who worked for a state agency and was actually responsible helping maintain security, eliminating viruses, trojans, etc. He told me that the biggest problem were work bottle necks, issues such as one printer available to anywhere from ten to some times 50 personnel! Bureaucracies run on paperwork. So people would bring a personal printer, usually run off an unauthorized personal router in order to meet deadlines. Effectively their wireless routers created back doors into secure systems. The security staff were running their legs off suppressing this, but the people committing the acts were also the most productive. So, they might be chewed out by a superior, but you can't shoot the cow and improve milk production.
He said they were continually monitoring this (war driving themselves). There were other security problems as well. He had spent a month chasing a virus source that seemed to skip around town from one building to another, but always within the same unit. The head of said unit was complaining bitterly about this. In desperation my buddy created a board tracking dates of new outbreaks in places previously cleared, sometimes several times. It finally emerged that the very complaining supervisor had been carrying around a 3.5-inch disk from section to section of the unit to "backup work" and "monitor" work progress. The floppy was one from his home (to save the unit budget he said). Ultimately my friend had to physically catch the supervisor inserting the disk into and have him stop while the disk was scanned. Some of the unit sections affected had physical access limitations that required authorization before a person could physically enter the building or suite. So the problem was the fellow with the boss of the unit.
he "keys" to the kingdom can be on a thumb drive or a slip of paper.
If the contents of the thumb drive are the database for a password manager such as KeePassX it's not necessarily a problem. The problem might be a keylogger in the device via which access is gained but that's not a problem specific to the password manager.
Just like in the Texas freeze, where some companies made a lot of money, I wonder if people made a lot of money off the scarcity and fear.
Apart from that, they have to spend billions upgrading the equipment in the field. Why bother. That is the cynic in me. I see this every time.
I worked in the electric utility industry on SCADA systems (power grid and generation control) and couldn't believe that they wanted management access into the SCADA system. Transfer as much data for analysis, playtime, etc. through one-way fiber (I don't hook up return line) to another system, but SCADA should be isolated, as should be any control system. Pointy hairs thought that was paranoid, but then they also wanted to run SCADA on Windows...
Whoever does end up with the job has a better chance of being listened to seriously when they point out security issues.
Doesn't mean that they will follow through on any recommended actions though.
There's always that managerial type person convinced that it will never happen to them. (Until it does of course. Then it is open season on scapegoats.)
They will listen and do whatever they were doing before. The mandate has to come from the CEO and the board. Really the board has to politely tell the CEO that he needs to have the problem fixed. The CEO has to tell the yearly compensation and review committee that security has to be part of the employee KPI.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
