An Open Letter to National Critical Infrastructure Leaders: The Colonial Pipeline Attack is a Wake Up Call.
Paul Vallée
Founder and CEO of Tehama, the world's only all-in-one cybersecurity platform delivering compliant and secure access to desktops, data and applications | Senior Fellow, CIGI | Member, Digital Governance Council of Canada
This is an open letter to Canada’s senior technology leadership in the utilities, telecommunications, financial and healthcare sectors making up our national critical infrastructure.
We are in receipt of a wake-up call and the time to act is now.
In today’s world critical infrastructure everywhere is vulnerable and under attack. Remote work has amplified the risks.
Neither the Colonial Pipeline cybersecurity attack over the weekend, nor the foiled cyber-terrorist attempt to poison a city’s potable water source in a Florida water filtration plant in early February are outliers.
Imagine a state of future-war. Is it being waged with tanks and submarines? Are the targets our army bases and military? Are we crystal clear on what country is attacking us? Or does future-war look exactly like now?
Cyber hackers, either nation-state-backed or economic opportunists, are exploiting weak investments in security, procedures, and tooling. Key point: Cyber attacks by nation-state actors will not involve soldiers holding a flag or wearing a uniform. It will appear exactly like the Colonial Pipeline situation.
Electricity grids, financial systems, hospitals, transportation networks, and nuclear stations have already been attacked in several cities across the globe. In this letter we join a global chorus of voices urging critical infrastructure leaders to rise to the occasion and address these very real threats to our society and invest proportionately.
As reported in Florida at the water filtration plant, hackers were successful in exploiting an outdated version of Microsoft Windows and a weak cybersecurity network. The Colonial Pipeline attack is suspected to have been executed via VPN and traditional Remote Access Tools vulnerabilities, both optimized for easy access and not for security.
John Cusimano, vice president at aeCyberSolutions, said that cybersecurity in the pipeline industry is “far behind that of other energy sectors,” noting that a common problem is “the lack of segmentation of the pipeline supervisory control and data acquisition networks, which “connect the pipeline control center to every terminal, pumping station, remote isolation valve and tank farm along the pipeline.”
Equally challenging for IT and security leaders are the multiple tools and security solutions they need to manage, maintain, upgrade, and ensure full compatibility with the latest security, firmware, and software updates. One missed library update can open a massive hole into an organization only to be exploited repeatedly until the victim is held to ransomware payments or to persist for months or years with cyber espionage stealing secrets.
So what can be done about this? How can leaders sleep well at night knowing their economy’s critical infrastructure is safe, yet still conduct the business they need to ensure the lights stay on, the fuel continues to flow, bills get paid, and the water stays clean?
The CIO Strategy Council has developed critical standards that are focused on innovation and technological solutions to some of the most pressing data, systems, and infrastructure security challenges.
CAN/CIOSC 100-2:2020 Third Party Access to Data: This standard addresses data governance on third-party access to data and ensures that when third parties are authorized to access critical data systems that access is authorized, supervised and secure.
CIOSC/PAS 100-4:2020 Specification for Scalable Remote Access Infrastructure: This standard lays out requirements to mitigate security risks associated with, and scalability demands upon, enterprise technologies used for remote access.
CAN/CIOSC 103-1:2020 Digital Trust and Identity: This standard specifies minimum requirements and controls for creating and maintaining trust in digital systems and services that assert and or consume Identity and Credentials.
Universal adherence to these standards would dramatically improve our posture and ability to ensure our society can rely on our national critical infrastructure.
Canada is not immune to future catastrophes like the Colonial Pipeline attack. We hereby call on all national critical infrastructure technology and business leaders to mandate adherence to these standards. To show your support and join this mission, add your name below.
Signed,
Jeff Adam, O.O.M., CEO Jeff Adam Consulting
Katherine Thompson, Cyber Future Foundation
Dmitry Raidman, Security Architecture Podcast
Evgeniy Kharam, Security Architecture Podcast
Ian L. Paterson, CEO Plurilock Security Inc.
J. Paul Haynes, P.Eng. President and Chief Operating Officer, eSentire Inc.
Tony Kanjirappally, Red Canari
Christopher S. Kayser, Cybercrime Analytics Inc.
Iain Paterson, CEO, Cycura Inc.
David Perry, CTO, CATA Alliance
Rafal Rohozinski, CEO SecDev Group and Zeropoint Security
Danny Timmins, CISSP, MNP National Cyber Security Leader, Partner
About the signatories
Paul Vallee, Tehama, Inc.
Paul Vallée is a CIGI senior fellow and the founder and CEO of Tehama.
Paul is a serial entrepreneur who has spent his career at the forefront of cutting-edge technologies that enable the exchange of work over the internet. In 1997, he founded Pythian, a data-centric services business with a focus on remote work. Under his leadership, the company developed groundbreaking tools that enable remote teams to work and interact seamlessly and securely across multiple continents. Tehama was born at Pythian, launched to the public in 2018 and, due to rapid adoption of the platform, spun out to become fully independent in 2019. Paul is active in the Council of Canadian Innovators and the CIO Strategy Council, and serves on the board of the Basic Income Canada Network. In 2016 he was named Diversity Champion of the Year by Women in Technology and Communications.
BGen (Retired) Robert Mazzolin Ph.D., P.Eng., OMM, CD, SMIEEE, Chief Cyber Security Strategist RHEA Group
BGen (Ret’d) Mazzolin currently serves as the Chief Cyber Security Strategist for the RHEA Group, a space system engineering and cyber security organization that advises and delivers secure solutions to large enterprises, governments and institutions in Europe, Canada and other parts of the globe.
He retired from the Canadian Armed Forces after serving as the Vice Director of Strategic Plans and Policy at United States Cyber Command at the National Security Agency in Fort Meade, Maryland. Notable appointments include the Director General Information Management Operations responsible for all CAF and DND strategic network, signals intelligence, electronic warfare and cyber operations, Commander of the Canadian Forces Information Operations Group, Director Land Command Systems Program Management, Commanding Officer Canadian Forces Station Leitrim and Canadian Forces Signals Intelligence Operations Centre. He served in a variety of other Command and Staff roles and was one of the Canadian Forces leading experts in Communications and Information systems, Signals Intelligence, Network Operations and Electronic Warfare.
Jeff Adam, O.O.M., CEO Jeff Adam Consulting
Jeff is a retired Assistant Commissioner from the Royal Canadian Mounted Police after a 33 year career. During his career, he was chair of the Five Eyes Law Enforcement Working Group on Going Dark, and a founding member of the Five Eyes Law Enforcement Cybercrime Working Group. He was Chair and Co-Chair for 8 years of the Canadian Association of Chief of Police E-Crimes Committee which had cybercrime, digital forensics and Warranted Interception sub-committees. Also a strong participant in the CATA Alliance, Jeff has spoken on Cyber Security and Cyber Crime Investigation and Prevention topics for many years.
Katherine Thompson, Cyber Future Foundation
As one of Canada’s most passionate and influential voices surrounding the issues and opportunities related to cyber security in Canada, Katherine Thompson has taken a leading role in helping Canadians understand the risks and rewards associated with the digital economy. As Head of Global Ecosystems for Cyber Future Foundation, a global cyber security industry association, Katherine is regularly called upon to speak on the current state of cyber security in Canada and key issues including security of critical infrastructure, breach management, risks for small to medium sized enterprise, the growing labor and skills shortage and ensuring Canada’s economic prosperity through cyber initiatives. Katherine sits on several boards including Cyber Titans, Hackers for Changes and Canadian Women in Cyber Defense.
Dmitry Raidman, Security Architecture Podcast
Evgeniy Kharam, Security Architecture Podcast
Security Architecture Podcast, was founded to help security professionals learn about available solutions on the market while removing the marketing fog created by the vendors of the solution. If you are like us, you have probably been struggling with the gap between what marketing says a security technology will do, to fully testing and evaluating solutions before you make a decision, and then seeing something different when you actually implement the solution in your environment. It is our goal to influence the security industry, or at least provide you with some better information to help you make a better decision when you are looking at all the security technologies.
Ian L. Paterson, CEO Plurilock Security Inc.
Plurilock provides identity-centric cybersecurity for today’s workforces. Plurilock offers world-class cybersecurity solutions paired with AI-driven, cloud-friendly security technologies that deliver persistent identity assurance with unmatched ease of use. The Plurilock family of companies enables organizations to operate safely and securely-while reducing cybersecurity friction.
J. Paul Haynes, P.Eng.
President and Chief Operating Officer, eSentire Inc.
J.Paul Haynes was drawn to eSentire with a vision to create a disruptive cybersecurity company. He successfully partnered with growth capital firms to invest in and scale eSentire to become the world’s largest pure-play Managed Detection and Response (MDR) provider and market leader. eSentire employs 450 staff and protects over 1000 customers ranging from finance to electric utilities. J.Paul is a professional engineer with a 30-year entrepreneurial track record of success. His business acumen, in-depth understanding of technology, and strong leadership have made him a respected and reliable voice on the topic of cybersecurity in North America and Europe.
J. Paul holds both a B.Sc. and M.Sc. in Engineering from the University of Guelph. He is also a proud alumnus serving on the Board for the M.Sc in Cyber Security the University of Guelph and is a Board Director for Technation.
Tony Kanjirappally, Red Canari
Red Canari is a highly technical, research-led cybersecurity firm headquartered in Ottawa, Canada. Our security professionals are experts in their fields and have authored globally adopted security tools. They passionately share their research in speaking roles at internationally renowned conferences including Black Hat and DEF CON. Our experts pioneer solutions that advance cyber resilience at key organizations in the aviation, financial, energy, and health care sectors. We are trusted to work on sensitive, classified projects for key government departments and agencies, as well as the military command, by the Canadian Industrial Security Directorate, the Controlled Goods Program and the North Atlantic Treaty Organization. Red Canari provides cybersecurity services that will help your organization strengthen its resiliency, respond to attacks from potential threats, and recover quickly to resume regular business operations.
Christopher S. Kayser, Cybercrime Analytics Inc.
Christopher is Founder, President & CEO of Cybercrime Analytics Inc., an Alberta-based cybersecurity organization that provides consulting, education, research, and expert witness services. He holds a Masters in Criminal Justice, Cybercrime Investigation and Cybersecurity and Graduate Certificate in Cybercrime Investigation and Cybersecurity from Boston University, and is a member of the Honors Society of Criminal Justice. His memberships include: CATA Alliance, CATA’s eCrime Cyber Council, ASC (American Society of Criminology), ACJS (Academy of Criminal Justice Sciences), and the CIC (Center for Cybercrime Investigation & Cybersecurity, and a member of the Editorial Review Board of the IJCIC (International Journal of Cybercrime Investigation and Cybersecurity), and IJCC (International Journal of Cyber Crime). He is the author of Cybercrime through Social Engineering - The New Global Crisis, and his RESCAT theory (Required Elements for a Social Engineered Cyber Attack Theory) is recognized as an important contribution to the study of cybercrimes incorporating social engineering. Chris’ ongoing research continues to address the human element as it pertains to cyber-victimization. Chris continues to present to public, private, and government organizations globally.
Sharon Polsky, MAPP
Sharon is president of the Privacy and Access Council of Canada; a Privacy by Design Ambassador; Vice-Chair of the CIO Strategy Council Technical Committees for Privacy & Access Control Standards and for the Canadian Information Privacy Protection Framework; co-author of the Standards Council of Canada’s General Data Protection Regulation Guidance for Canadian Businesses; a member and former executive member of the Canadian Bar Association, Alberta Privacy and Access Law Section; and former vice-president of the Rocky Mountain Civil Liberties Association. She holds Canada’s most senior professional privacy designation, Master Access and Privacy Professional (MAPP), and has more than 25 years’ experience advising corporations, governments, public bodies, Senate and legislative committees about implications and unintended consequences of emerging laws, technologies, and global trends in privacy, data governance, information security, cyber liability, and civil liberties, and is frequently invited by local and national media for her insights about those issues.
Privacy and Access Council of Canada is the voice for privacy and access and the certifying body for access and privacy professionals. PACC is independent, non-profit, non-partisan, non-government, and dedicated to the development and promotion of the access-to-information, information privacy, and data protection profession across the private, nonprofit, and public sectors.
Kathy Macdonald, M.O.M.
Kathy is a retired police officer with over three decades of investigative and crime prevention experience. Her company, Global Cyber Security Courses Inc., builds awareness about the importance of cybercrime prevention. Kathy’s book titled, Cybercrime: Awareness, Prevention, and Response, is a comprehensive Canadian resource discussing cybercrime and its effect on individuals, businesses, governments institutions, and organizations. The Governor General of Canada invested Kathy with the Member of the Order of Merit of the Police Forces and she was named one of the Top 20 Women in Cyber Security 2020 - Canada.
Iain Paterson, CEO Cycura
Cycura is a specialized, offensive focused, cybersecurity company headquartered in Toronto. We service clients across Canada, America, Europe and Hong Kong, helping them to identify technical weaknesses in their networks and applications. We work nationally with Law Enforcement agencies to address the rising cybercrime problem faced by Canadians. Our mandate is to educate businesses and help them establish a better, more proactive, position to defend themselves against cyber attacks. Cycura is part of the growing WELL Health family of companies, and spearheads their cybersecurity business unit, alongside our subsidiary company, Source 44.
David Perry, CTO, CATA Alliance
CATA is a trusted national industry alliance with a mandate to help Canadian innovation thrive. We grow commercial capabilities and access for homegrown technology businesses. The alliance brings together industry and thought leaders with academic and policy experts to advocate for Canadian competitiveness and promote a bold, confident podium culture
Rafal Rohozinski, CEO SecDev Group and Zeropoint Security
SecDev is an agile research and innovation firm helping clients navigate digital-geopolitical, geospatial and geodigital risk. SecDev builds value through innovation in strategic foresight, data science and urban analytics. SecDev’s team is fluent in technology, global in scope and results-oriented. SecDev empowers clients, such as national governments, technology companies and international organizations, to make informed choices that deliver value in the digital-urban age
Danny Timmins, CISSP, MNP National Cyber Security Leader, Partner
Danny has been a certified CISSP for over 10 years and was a co-founder of NCI Secured Intelligence before merging with MNP. As CEO/President of NCI for 16 years, Danny was mandated with driving the company forward through his leadership and vision. Danny has been in the Information Technology business for over 23 years.
Respected within the Cyber Security community, Danny travels across North America to attend, and often speak, at various industry events to share his knowledge and collaborate as to the direction of Cyber Security in the marketplace. Danny was a former member of the National CATA Cyber Security Council working to further Cyber Security within Canada. Danny also sits on the National C212 (Canadian Cyber Security Innovation Institute) working to further Cyber Security for Canadians.
Danny’s desire to lead and share goes beyond business to the community where he lives and works. With over 28 years as a volunteer, always bringing strong work ethic and enthusiasm both to the business and the community.
CTO | Quema | Building scalable and secure IT infrastructures and allocating dedicated DevOps engineers from our team
1 年Paul, thanks for sharing!
Cybersecurity & Risk, Sr. Specialist at Government CISA | CRISC | ITIL V3 Expert | GRC Expert | Lead Auditor (ISMS, ITSMS, QMS, BCMS, Risk Mgmt) | Consultant | Trainer
3 年This is a great initiative Paul and the CIO team. It is most necessary requirement to protect critical and national infrastructure and most countries already have Critcal National Infrastructure Authority to secure such assets and ensure its sustainability, resilience and that in turn provides social and economic prosperity. Also, laws and enactments need to be established, monitored, complied and maintained in this regard. Especially, with the ICS (Operations Technology-OT) more dependent on IT's growing platforms and technologies such as AI, Blockchain, IoT, Smart Grid, etc..that will bring cost effectiveness, efficiencies and advancement in OT operations. Standards and Compliance will play a big role in the maintenance of these technologies... God Bless!
CIO | CTO | CISO | Strategic Consultant
3 年Nick Parker Richard Dalton
Vice-President, Cloud @ Micro Logic
3 年Great perspective Paul, it is indeed time to take action and protect Canada's critical infrastructure. Now is the time.
Lead Engineer AI and Cloud (AWS | GCP)
3 年Security is an Ethos and must be imbued from the very start of any and every initiative in any company. You knitted security into Pythian's fabric decades ago and that enabled hundreds of companies to trust us manage their highly sensitive databases online (or should I say Old Cloud). It has become a norm now with New Cloud but principles are the same. Absolutely very well written Paul Vallee, as always.