Colonial Pipeline attack: Has it informed India’s approach to cybersecurity?

Three years have passed since the reported ransomware attack on America’s largest fuel pipeline — Colonial Pipeline. The pipeline, carrying 2.5 million barrels of fuel daily, shut down its operations for six days due to the attack. But what does this attack have to do with India’s critical infrastructure? 

The Colonial Pipeline attack was indicative of how disruptions of privately owned infrastructure can have a massive economic impact. Despite high-profile attacks like this to learn from, India continues to experience a surge in cyberattacks on critical infrastructure. 

Incidents involving AIIMS, NAL, the G20 website, and more demonstrate the vulnerabilities present in these systems. Last year alone, India saw 429,847 cyberattacks on financial services organisations, with 70 government websites—across both Union and state governments—being hacked.

So, where is India falling short? Are the IT and operational technology (OT) systems controlling critical infrastructure more or less secure today? Compared to three years ago, what lessons should have been learned?

Has there been any improvement since 2021?

While some organisations in India have made policy changes to enhance cybersecurity, institutional inertia has slowed the implementation of these changes. In 2024, only a third of Indian organisations plan to invest in OT security. Such monumental changes typically gain the necessary momentum when governmental regulation is added. In this direction, the Indian government introduced the Cyber Security Bill in Parliament in March this year. Additionally, the government has significantly increased its cyber budget, allocating $2.5 billion towards cybersecurity in the 2024-25 interim budget—a 29% increase from the previous fiscal year.

However, merely complying with regulatory norms is not enough. These norms should serve as a framework for security, but critical assets can only be well-protected when organisations adopt proactive, preventive security strategies.

Importance of preventive security cannot be understated

With a single VPN account and a stolen password, ransomware actors were able to bring down operations of the Colonial Pipeline for six days. Critical infrastructure organisations bear the responsibility to proactively identify and mitigate security risks before they can be exploited. Having a comprehensive understanding of where risks exist, and their impact on other assets, ensures that organisations are better equipped to make meaningful decisions about how, when and where to implement security controls.  

Whether that’s by implementing stateful tokens, regularly rotating encryption keys, or adhering to industry standards, organisations can leverage the visibility into risks provided with exposure management to fortify their defences against credential-based attacks and unauthorised access attempts. Exposure management helps organisations quantify risk for better decision-making. This creates a security-first culture across all levels, with senior leadership playing a pivotal role in prioritising cybersecurity as a core business and risk-management function. 

Public-private partnerships to foster transparency 

Government must play a stronger role in deterrence, including attributing attacks and establishing countermeasures. These efforts must be driven by preventive security strategies for better collaboration.

Transparency and accountability are critical components of an effective collaboration. Regular disclosure of CVEs within critical infrastructure is imperative to assess and mitigate potential risks effectively. Failure to address vulnerabilities promptly undermines trust and transparency, perpetuating systemic weaknesses within the infrastructure.

What India needs is effective regulation for transparency and standards of care that can foster a culture of preventive security so effective risk management practices are in place.

By Kartik Shahani, country manager, Tenable India