Tag Archive for: pipelines

Privacy by Design laws will kill your data pipelines

/in


A car is totaled when the cost to repair it exceeds its total value. By that logic, Privacy by Design legislation could soon be totaling data pipelines at some of the most powerful tech companies.

Those pipelines were developed well before the advent of more robust user privacy laws, such as the European Union’s GDPR (2018) and the California Consumer Privacy Act (2020). Their foundational architectures were therefore designed without certain privacy-preserving principals in mind, including k-anonymity and differential privacy.

But the problem extends way beyond trying to layer privacy mechanisms on top of existing algorithms. Data pipelines have become so complex and unwieldy that companies might not even know whether they are complying with regulations. As Meta engineers put it in a leaked internal document: “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments.”

(When we asked Meta for comment, a spokesperson referred us to the company’s original response to Motherboard about the leaked document, which said, in part: “The document was never intended to capture all of the processes we have in place to comply with privacy regulations around the world or to fully represent how our data practices and controls work.”)

As governments increasingly embrace Privacy by Design (PbD) legislation, tech companies face a choice: either start from scratch or try to fix data pipelines that are old, extraordinarily complex and already non-compliant. Some computer science researchers say a fresh start is the only way to go. But for tech companies, starting over would require engineers to roll out critical data infrastructure changes without disrupting day-to-day operations — a task that’s easier said than done.

‘Open borders’ won’t cut it

Motherboard published the leaked internal document, written by Meta engineers in 2021, at the end of April. In it, an engineering team recommended data architecture changes that would help Meta comply with a wave of governments embracing the “consent regime,” one of the core principles of PbD. India,…

Source…

Russian hacking threat hovers over U.S. gas pipelines

/in


The May 2021 attack on Colonial Pipeline — thought to be the largest successful cyberattack on oil infrastructure in U.S. history — led the Department of Homeland Security’s Transportation Security Administration to issue the first mandatory cybersecurity standards for pipelines, after years of relying solely on voluntary guidelines. But Democratic lawmakers, regulators and cybersecurity experts say those standards don’t go nearly far enough, and fall short of the binding standards that the U.S. electricity sector has spent years developing.

U.S. regulators or the gas pipeline companies themselves need to address that gaping hole in the nation’s energy security, experts say — noting that the gas and electricity sectors increasingly depend on each other.

“We say ‘gas and electricity’ as if they’re separate — they aren’t,” said Craig Miller, a research professor of electrical and computer engineering at Carnegie Mellon University, and former chief scientist of the National Rural Electric Cooperative Association. “You don’t move gas without electricity: You need pumps. And you don’t make electricity without gas.”

The Russian invasion of Ukraine has only exacerbated fears of a cyberattack on critical energy infrastructure. Energy Secretary Jennifer Granholm urged energy executives last week to prepare “to the highest possible level” for a potential cyberattack from Russia.

“While there remains no specific credible threat to the homeland from Russia, that I am aware of, the U.S. Government has been working with energy sector owners and operators to prepare for all geopolitical contingencies,” she wrote in a letter to industry trade organizations.

The nation has grown more reliant on natural gas as a power resource — the fuel made up 37 percent of the U.S. electricity mix in 2021, according to the U.S. Energy Information Administration, compared to 25 percent a decade ago — and the challenges of connecting the two energy systems have been a focus of federal regulators for years. Meanwhile, digital technology increasingly runs the systems that control critical infrastructure, making all energy infrastructure more vulnerable to cyber…

Source…

DOJ Recovers Most of Colonial Pipeline’s Ransom Payment

/in


Photo: POOL/AFP via Getty Images

Close to a month after Colonial Pipeline paid hackers the equivalent of $4.4 million in order to restore services for their massive gasoline operation, the Department of Justice announced that it had recovered the majority of the ransom payment.

After hackers affiliated with a group known as DarkSide locked Colonial out of their computer system leading to fuel shortages throughout the East coast, the energy firm decided in early May to pay the Russia-based group 75 Bitcoin, the equivalent of $4.4 million at the time. On Monday, the DOJ announced that 63.7 Bitcoin had been seized; while that represents 85 percent of the ransom payment, the value is now at $2.3 million, due to a fall in the cryptocurrency’s price in May.

“By going after the entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said at a press conference on Monday, referring to the type of the attack executed against Colonial. The FBI also revealed Monday in an affidavit that they were holding a key to unlock a bitcoin wallet that had most of the funds, although they did not announce exactly how they were able to find the key; Bitcoin transactions are designed to be untraceable. According to Reuters, “the bureau had tracked the bitcoin through multiple wallets, using the public blockchain and tools.”

By announcing that the Department of Justice was going after the “entire ecosystem” of ransomware attacks, Monaco suggested an escalation of the tactics used by the government to stop the hacking that has disrupted many business sectors this year. In April, the DOJ created a Ransomware and Digital Extortion Task Force to mitigate the breaches that have emerged as a national security threat over the past year. In an internal memo launching the initiative, the department will target “the entire criminal ecosystem around ransomware, including…

Source…

After Colonial hack, DHS issues first cybersecurity regulation for pipelines

/in


The Department of Homeland Security has issued the first cybersecurity regulation for the pipeline sector.

The regulation, issued Thursday morning, is part of the Biden administration’s efforts to bolster security for national infrastructure after a company that operates the largest fuel pipeline in the country was hit with a ransomware attack earlier this month.

Colonial Pipeline shut down all pipeline operations after it was hacked by a group believed to be Russian criminals, who locked some of its computers and demanded a ransom to set them free.

While Colonial was able to restart operations within five days, it had already become one of the most impactful cyberattacks in American history. The United States issued an emergency order to allow truckers to drive overtime to help transport fuel, and gas stations across the country reported outages. Colonial CEO Joseph Blount told The Wall Street Journal he quickly paid the hackers’ $4.4 million demand, but that their program to restore their systems was so slow he hired outside computer experts to do it instead.

While DHS’ Cybersecurity and Infrastructure Security Agency provides guidance to U.S. companies that handle the country’s infrastructure, there are few federal government requirements for them to have even basic cybersecurity measures in place.

Under the new regulation, roughly 100 pipeline companies will be required to keep a cybersecurity coordinator on call at all times, and to report any incident to the Cybersecurity and Infrastructure Security Agency within 12 hours. 

In a call DHS held with reporters Wednesday evening, one senior agency official, who requested to not be named as part of the terms of the call, said that pipeline companies found out of compliance with the new regulation would face escalating fines starting around $7,000.

“There are financial penalties associated with failure to comply with security directives, and those can be imposed on a daily basis, so they can ramp up pretty significantly over time,” the official said.

Bryson Bort, a cybersecurity consultant and founder of the ICS Village, a nonprofit that advocates for industrial cybersecurity, said that while he didn’t expect the regulation…

Source…