An Open Letter to National Critical Infrastructure Leaders: The Colonial Pipeline Attack is a Wake Up Call

This is an open letter to Canada’s senior technology leadership in the utilities, telecommunications, financial and healthcare sectors making up our national critical infrastructure.

We are in receipt of a wake-up call and the time to act is now.

In today’s world critical infrastructure everywhere is vulnerable and under attack. Remote work has amplified the risks.

Neither the Colonial Pipeline cybersecurity attack over the weekend, nor the foiled cyber-terrorist attempt to poison a city’s potable water source in a Florida water filtration plant in early February are outliers.

Imagine a state of future-war. Is it being waged with tanks and submarines? Are the targets our army bases and military? Are we crystal clear on what country is attacking us? Or does future-war look exactly like now?

Cyber hackers, either nation-state-backed or economic opportunists, are exploiting weak investments in security, procedures, and tooling. Key point: Cyber attacks by nation-state actors will not involve soldiers holding a flag or wearing a uniform. It will appear exactly like the Colonial Pipeline situation.

Electricity grids, financial systems, hospitals, transportation networks, and nuclear stations have already been attacked in several cities across the globe. In this letter we join a global chorus of voices urging critical infrastructure leaders to rise to the occasion and address these very real threats to our society and invest proportionately.

As reported in Florida at the water filtration plant, hackers were successful in exploiting an outdated version of Microsoft Windows and a weak cybersecurity network. The Colonial Pipeline attack is suspected to have been executed via VPN and traditional Remote Access Tools vulnerabilities, both optimized for easy access and not for security.

John Cusimano, vice president at aeCyberSolutions, said that cybersecurity in the pipeline industry is “far behind that of other energy sectors,” noting that a common problem is “the lack of segmentation of the pipeline supervisory control and data acquisition networks, which “connect the pipeline control center to every terminal, pumping station, remote isolation valve and tank farm along the pipeline.” 

Equally challenging for IT and security leaders are the multiple tools and security solutions they need to manage, maintain, upgrade, and ensure full compatibility with the latest security, firmware, and software updates. One missed library update can open a massive hole into an organization only to be exploited repeatedly until the victim is held to ransomware payments or to persist for months or years with cyber espionage stealing secrets.

So what can be done about this? How can leaders sleep well at night knowing their economy’s critical infrastructure is safe, yet still conduct the business they need to ensure the lights stay on, the fuel continues to flow, bills get paid, and the water stays clean?

The CIO Strategy Council has developed critical standards that are focused on innovation and technological solutions to some of the most pressing data, systems, and infrastructure security challenges.

CAN/CIOSC 100-2:2020 Third Party Access to Data: This standard addresses data governance on third-party access to data and ensures that when third parties are authorized to access critical data systems that access is authorized, supervised and secure.

CIOSC/PAS 100-4:2020 Specification for Scalable Remote Access Infrastructure: This standard lays out requirements to mitigate security risks associated with, and scalability demands upon, enterprise technologies used for remote access.

CAN/CIOSC 103-1:2020 Digital Trust and Identity: This standard specifies minimum requirements and controls for creating and maintaining trust in digital systems and services that assert and or consume Identity and Credentials.

Universal adherence to these standards would dramatically improve our posture and ability to ensure our society can rely on our national critical infrastructure.

Canada is not immune to future catastrophes like the Colonial Pipeline attack. We hereby call on all national critical infrastructure technology and business leaders to mandate adherence to these standards. To show your support and join this mission, add your name below.

Signed,

Paul Vallee, Tehama, Inc.

About The Signatories:

About Tehama

Tehama enables organizations to accelerate the adoption of the CIO Strategy Council Standards. At the core of Tehama is a unique architecture that creates a secure perimeter around a virtual room, and within that room, users can access secure virtual desktops. The fully auditable platform includes all the controls and capabilities required to quickly onboard, manage, scale, secure, and audit a global workforce or third-party vendor. When using Tehama every detail can be captured and recorded for forensic auditing, playback, and analysis, thus preserving the chain of trust. Learn more about Tehama.

Katherine Thompson, Cyber Future Foundation

Dmitry Raidman, Security Architecture Podcast

Evgeniy Kharam, Security Architecture Podcast

Security Architecture Podcast, was founded to help security professionals learn about available solutions on the market while removing the marketing fog created by the vendors of the solution. If you are like us, you have probably been struggling with the gap between what marketing says a security technology will do, to fully testing and evaluating solutions before you make a decision, and then seeing something different when you actually implement the solution in your environment. It is our goal to influence the security industry, or at least provide you with some better information to help you make a better decision when you are looking at all the security technologies.

Ian L. Paterson, CEO Plurilock Security Inc.

Plurilock provides identity-centric cybersecurity for today’s workforces. Plurilock offers world-class cybersecurity solutions paired with AI-driven, cloud-friendly security technologies that deliver persistent identity assurance with unmatched ease of use. The Plurilock family of companies enables organizations to operate safely and securely-while reducing cybersecurity friction.

Tony Kanjirappally, Red Canari

Red Canari is a highly technical, research-led cybersecurity firm headquartered in Ottawa, Canada. Our security professionals are experts in their fields and have authored globally adopted security tools. They passionately share their research in speaking roles at internationally renowned conferences including Black Hat and DEF CON. Our experts pioneer solutions that advance cyber resilience at key organizations in the aviation, financial, energy, and health care sectors. We are trusted to work on sensitive, classified projects for key government departments and agencies, as well as the military command, by the Canadian Industrial Security Directorate, the Controlled Goods Program and the North Atlantic Treaty Organization. Red Canari provides cybersecurity services that will help your organization strengthen its resiliency, respond to attacks from potential threats, and recover quickly to resume regular business operations.

Christopher S. Kayser, Cybercrime Analytics Inc.

Christopher is Founder, President & CEO of Cybercrime Analytics Inc., an Alberta-based cybersecurity organization that provides consulting, education, research, and expert witness services.  He holds a Masters in Criminal Justice, Cybercrime Investigation and Cybersecurity and Graduate Certificate in Cybercrime Investigation and Cybersecurity  from Boston University, and is a member of the Honors Society of Criminal Justice.  His memberships include: CATA Alliance, CATA’s eCrime Cyber Council, ASC (American Society of Criminology), ACJS (Academy of Criminal Justice Sciences), and the CIC (Center for Cybercrime Investigation & Cybersecurity, and a member of the  Editorial Review Board of the IJCIC (International Journal of Cybercrime Investigation and Cybersecurity), and IJCC (International Journal of Cyber Crime).  He is the author of Cybercrime through Social Engineering – The New Global Crisis, and his RESCAT theory (Required Elements for a Social Engineered Cyber Attack Theory) is recognized as an important contribution to the study of cybercrimes incorporating social engineering.  Chris’ ongoing research continues to address the human element as it pertains to cyber-victimization.  Chris continues to present to public, private, and government organizations globally.

Sharon Polsky MAPP

Sharon is president of the Privacy and Access Council of Canada; a Privacy by Design Ambassador; Vice-Chair of the CIO Strategy Council Technical Committees for Privacy & Access Control Standards  and for the Canadian Information Privacy Protection Framework; co-author of the Standards Council of Canada’s General Data Protection Regulation Guidance for Canadian Businesses; a member and former executive member of the Canadian Bar Association, Alberta Privacy and Access Law Section; and former vice-president of the Rocky Mountain Civil Liberties Association. She holds Canada’s most senior professional privacy designation, Master Access and Privacy Professional (MAPP), and has more than 25 years’ experience advising corporations, governments, public bodies, Senate and legislative committees about implications and unintended consequences of emerging laws, technologies, and global trends in privacy, data governance, information security, cyber liability, and civil liberties, and is frequently invited by local and national media for her insights about those issues.

Privacy and Access Council of Canada is the voice for privacy and access and the certifying body for access and privacy professionals. PACC is independent, non-profit, non-partisan, non-government, and dedicated to the development and promotion of the access-to-information, information privacy, and data protection profession across the private, nonprofit, and public sectors.

Kathy Macdonald, M.O.M.

Kathy is a retired police officer with over three decades of investigative and crime prevention experience. Her company, Global Cyber Security Courses Inc., builds awareness about the importance of cybercrime prevention. Kathy’s book titled, Cybercrime: Awareness, Prevention, and Response, is a comprehensive Canadian resource discussing cybercrime and its effect on individuals, businesses, governments institutions, and organizations. The Governor General of Canada invested Kathy with the Member of the Order of Merit of the Police Forces and she was named one of the Top 20 Women in Cyber Security 2020 – Canada.

Iain Paterson, CEO Cycura

Cycura is a specialized, offensive focused, cybersecurity company headquartered in Toronto. We service clients across Canada, America, Europe and Hong Kong, helping them to identify technical weaknesses in their networks and applications. We work nationally with Law Enforcement agencies to address the rising cybercrime problem faced by Canadians. Our mandate is to educate businesses and help them establish a better, more proactive, position to defend themselves against cyber attacks. Cycura is part of the growing WELL Health family of companies, and spearheads their cybersecurity business unit, alongside our subsidiary company, Source 44.

David Perry, CTO CATA Alliance

CATA is a trusted national industry alliance with a mandate to help Canadian innovation thrive. We grow commercial capabilities and access for homegrown technology businesses. The alliance brings together industry and thought leaders with academic and policy experts to advocate for Canadian competitiveness and promote a bold, confident podium culture

Rafal Rohozinski, CEO SecDev Group and Zeropoint Security

SecDev is an agile research and innovation firm helping clients navigate digital-geopolitical, geospatial and geodigital risk. SecDev builds value through innovation in strategic foresight, data science and urban analytics. SecDev’s team is fluent in technology, global in scope and results-oriented. SecDev empowers clients, such as national governments, technology companies and international organizations, to make informed choices that deliver value in the digital-urban age

Jeff Adam, O.O.M., CEO Jeff Adam Consulting

Jeff is a retired Assistant Commissioner from the Royal Canadian Mounted Police after a 33 year career. During his career, he was chair of the Five Eyes Law Enforcement Working Group on Going Dark, and a founding member of the Five Eyes Law Enforcement Cybercrime Working Group. He was Chair and Co-Chair for 8 years of the Canadian Association of Chief of Police E-Crimes Committee which had cybercrime, digital forensics and Warranted Interception sub-committees.  Also a strong participant in the CATA Alliance, Jeff has spoken on Cyber Security and Cyber Crime Investigation and Prevention topics for many years.

Danny Timmins, CISSP, MNP National Cyber Security Leader, Partner

Danny has been a certified CISSP for over 10 years and was a co-founder of NCI Secured Intelligence before merging with MNP. As CEO/President of NCI for 16 years, Danny was mandated with driving the company forward through his leadership and vision. Danny has been in the Information Technology business for over 23 years.

Respected within the Cyber Security community, Danny travels across North America to attend, and often speak, at various industry events to share his knowledge and collaborate as to the direction of Cyber Security in the marketplace. Danny was a former member of the National CATA Cyber Security Council working to further Cyber Security within Canada. Danny also sits on the National C212 (Canadian Cyber Security Innovation Institute) working to further Cyber Security for Canadians.

Danny’s desire to lead and share goes beyond business to the community where he lives and works. With over 28 years as a volunteer, always bringing strong work ethic and enthusiasm both to the business and the community.