The Colonial Pipeline Cyber incident was a sobering wake up call to the critical effects that a ransomware attack can play into not just business, but society. CEO Joseph Blount had a very difficult decision to make: To pay or not to pay.
When faced with this decision on how to respond to a ransomware attack, the focus must turn to your answers to key decision factors. I’ve typically have been of the opinion not to pay or negotiate as this is what is giving the cyber criminals the ongoing incentive to continue in this ransomware business. Now that I’ve seen the impact of a serious attack on critical infrastructure, I’ve reeled back and realized that we have to consider many variables that make this a per case decision and not simply a jump to “don’t pay”.
In making this decision, we look at several factors:
1. Are the organization’s key assets / services critical to society or high value data that may cause grave harm to a nation? In some cases, like Colonial Pipeline, profits need to come last when you have a social responsibility to provide heat for homes, a safe environment for workers and avoid risk of environmental disaster. The choice to shut down the pipelines was said to be associated to CP being unable to bill for the fuel outputs primarily, but also to ensure the safety of the pipeline workers and customers by keeping the attacks out of the OT pipeline network.
2. Does the organization have a Cyber Security Incident Response retainer? There are several options when choosing a Cyber Security partner for incident response services and retainers. Some come with EDR tools, IR plan development and SLAs. If you have a retainer, it is critical to understand all the roles and responsibilities of the organization, the retainer 3rd party and any additional support mechanisms.
3. Does the organization have the ability to restore services without the need of the encryption key? When considering risk to your organization, data recovery should be top of mind. Not just for impacts of Ransomware events, but any major incidents to systems. If backups aren’t completed frequently and protected, options are limited. You also need to consider how much human power is required for recovery and if additional resources need to be provided by partner organizations. These costs can add up quickly if several resources are needed.
4. Does the organization have a cyber insurance plan and if so, what is covered and what are the limitations / caveats? It is important to note that a cyber insurance plan is not a silver bullet for cyber incidents. Cyber insurance is in place to help an organization fiscally recover from costs surrounding cyber events, such as services to restore and loss of revenue. It is important to understand the coverage and limitations regarding who can be engaged to assist with the incident response and recovery, as well as approval and possibly coverage of ransom payment.
5. Is the risk worth the reward? Let’s face it, when dealing with any type of criminal, the confidence that they will comply with a payment in exchange for encryption keys to restore systems is a large risk.
Depending on the requested ransom amount vs the potential cost of recovery, cyber insurance providers may suggest paying the ransom vs attempting to recover from backup or rebuild as the insurer will typically lean towards on the lower cost option. The decision is ultimately up to the organization. There is no firm answer to paying, negotiating or not paying, it simply is a game time decision that requires input from various areas of business and expertise.
There are other issues raised by the interview with the CEO.
“Though the pipeline’s flow of fuel has returned to normal, the impact of the hack hardly ended with the ransom payment. It will take months of restoration work to recover some business systems, and will ultimately cost Colonial tens of millions of dollars, Mr. Blount said, noting that it is still unable to bill customers following an outage of that system.” – Collin Eaton / Bloomberg News
The time to restore needs to become a priority goal for our industry. There has been far too little attention to developing a strategy to do this. This will be topic of my next blog.