TechLetters #27 - ransomware vs pipelines, vs healthcare - with no politics inside; is ramping up cybersecurity possible?
Éditorial
Security
Pipeline cyberattack. Colonial Pipeline has been affected with ransomware infection. The targeting of this American fuel pipeline operator led to the issuance of regional emergency measures meant to maintain the stability of fuel supply, fuel-related, “due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States”.
“"Our goal is to make money and not creating problems for society,", said the ransomware operators. The thing is, even if they are not concerned with “politics”, these days politics tends to be interested in such affairs. Perhaps out of abundance of caution (?), the Russian government said that “they had nothing” to do with this cyberattack. Colonial Pipeline reportedly paid about $5M in ransom, but was not entirely happy with the purchase:
Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.
Russian MFA hacked. Russian Foreign Affairs Ministry was hacked. As a result, documents were stolen: "passport details of employees, work reports, instructions for negotiations and other confidential documents". Already leaked on darkness.
Majestic Wi-Fi bug. Security design flaws are found in the many wi-fi stacks, meaning that many devices (sometimes old, “several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997”) are vulnerable (some of them will never be updated). It can be exploited while having a close access to the target. (paper)
Cybersecurity EO. USA issued an Executive Order on "Improving the Nation’s Cybersecurity". Among others it speaks about public procurement, so money
(c) The recommended contract language and requirements described in subsection (b) of this section shall be designed to ensure that:
(i) service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements
Such changes will have broad impacts.
Ransomware and Irish healthcare. Cyberattack (ransomware incident) targeted the Irish Health Service Executive (public health/social service for whole Ireland). Systems were brought down (e.g. out of precaution). Many appointments cancelled. The impact becomes serious: “Tens of thousands of patients across the country, many ill with cancer and heart disease, risk having their life-saving treatment disrupted”, “17,000 hospital patients a day will be affected”. Cancellations were significant, with thousands appointments impacted, at tens of hospitals. Medical diagnostics like imaging prominently cancelled - this is not a coincidence, such services are operated with a computer or otherwise computer-aided, additionally perhaps with a legacy/obsolete/vulnerable Windows operating system. Ransom has been demanded but HSE will not pay. It’s the policy of Ireland not to pay ransom. So assuming that the perpetrators were after money, their choice was quite sub-optimal, because they will not get the money.
Air-gap is a myth. Air-gaps are often presented as the magic solution to cybersecurity risk. Just disconnect (physically or logically separate) some systems so intrusion becomes impossible. Unfortunately, air-gaps are often untenable in practice.
What about pipelines, such as Colonial? To understand why an air gap is nonsensical in this case, we need to understand that a pipeline consists of multiple, communicating components which must work together as a system to enable monitored, safe, reliable operations. The combination of pipeline collection, gate station, and compressor station components must communicate to a control center to govern the entire system, with sensor data and other feeds enabling visibility into operations. For a commercial pipeline that is thousands of miles long with hundreds of such facilities, an “air gapped network” is simply implausible, and if implemented would likely introduce sufficient operational friction and delay as to make operations less efficient and potentially even less safe
Technology Policy
Ethical automatic decision making. UK’s Bureau of AI issued guidelines to consider when using algorithmic systems capable of automatic decision making. In line with GDPR.
Test to avoid any unintended outcomes or consequences.
Deliver fair services for all of our users and citizens.
Be clear who is responsible.
Handle data safely and protect citizens’ interests.
Help users and citizens understand how it impacts them.
Ensure that you are compliant with the law.
Build something that is future proof.
Online Harms Bill. UK Online Safety Bill will make certain online services a regulated field. For example it prohibits the arbitrary banning of profiles/pages of politicians/parties. It's about privacy, freedom of speech, and risk. A somewhat bill’s equivalent in Europe is called Digital Services Act. Non-compliance with the Bill will be costly, with fines: max of £18 million or 10% of worldwide revenue. The bill will also make specific company Senior Managers personally liable. Other
In case you feel it's worth it to forward this letter further, I leave this thingy below: