Did Colonial Pipeline hack shape India’s cybersecurity strategy?

June 1, 2024
2 mins read



TLDR:

  • The Colonial Pipeline attack highlighted the importance of preventive cybersecurity measures.
  • India needs to adopt proactive strategies to protect critical infrastructure.

Three years after the Colonial Pipeline ransomware attack, India is facing increasing cyber threats on its critical infrastructure. Despite high-profile incidents, such as attacks on AIIMS and the G20 website, vulnerabilities in India’s systems persist. While some organizations are making policy changes and the government has increased its cybersecurity budget, there is still a need for proactive security measures.

Article:

Three years have passed since the reported ransomware attack on America’s largest fuel pipeline — Colonial Pipeline. The pipeline, carrying 2.5 million barrels of fuel daily, shut down its operations for six days due to the attack. But what does this attack have to do with India’s critical infrastructure?

The Colonial Pipeline attack was indicative of how disruptions of privately owned infrastructure can have a massive economic impact. Despite high-profile attacks like this to learn from, India continues to experience a surge in cyberattacks on critical infrastructure. Incidents involving AIIMS, NAL, the G20 website, and more demonstrate the vulnerabilities present in these systems. Last year alone, India saw 429,847 cyberattacks on financial services organisations, with 70 government websites—across both Union and state governments—being hacked. So, where is India falling short? Are the IT and operational technology (OT) systems controlling critical infrastructure more or less secure today? Compared to three years ago, what lessons should have been learned?

While some organisations in India have made policy changes to enhance cybersecurity, institutional inertia has slowed the implementation of these changes. In 2024, only a third of Indian organisations plan to invest in OT security. Such monumental changes typically gain the necessary momentum when governmental regulation is added. In this direction, the Indian government introduced the Cyber Security Bill in Parliament in March this year. Additionally, the government has significantly increased its cyber budget, allocating $2.5 billion towards cybersecurity in the 2024-25 interim budget—a 29% increase from the previous fiscal year. However, merely complying with regulatory norms is not enough. These norms should serve as a framework for security, but critical assets can only be well-protected when organisations adopt proactive, preventive security strategies.

With a single VPN account and a stolen password, ransomware actors were able to bring down operations of the Colonial Pipeline for six days. Critical infrastructure organisations bear the responsibility to proactively identify and mitigate security risks before they can be exploited. Having a comprehensive understanding of where risks exist, and their impact on other assets, ensures that organisations are better equipped to make meaningful decisions about how, when and where to implement security controls. Whether that’s by implementing stateful tokens, regularly rotating encryption keys, or adhering to industry standards, organisations can leverage the visibility into risks provided with exposure management to fortify their defences against credential-based attacks and unauthorised access attempts.

Government must play a stronger role in deterrence, including attributing attacks and establishing countermeasures. These efforts must be driven by preventive security strategies for better collaboration. Transparency and accountability are critical components of an effective collaboration. Regular disclosure of CVEs within critical infrastructure is imperative to assess and mitigate potential risks effectively. Failure to address vulnerabilities promptly undermines trust and transparency, perpetuating systemic weaknesses within the infrastructure.

What India needs is effective regulation for transparency and standards of care that can foster a culture of preventive security so effective risk management practices are in place.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and