If the Colonial Pipeline hack is a wakeup call, it feels like we’ve been pushing the snooze button since at least 2003. Homeland Security Presidential Directive 7, issued that December, identified “a wide array of critical infrastructure and key resources” as “potential terrorist targets,” including the possibility of cyberattacks. Almost two decades on, the East Coast’s main fuel artery is offline, gas tanks are running dry across the Southeast and the government is warning the more innovative drivers among us not to fill plastic bags with gasoline. So maybe HSPD-7 didn’t quite cut it.
This year is like a grotesque showcase for the inherent vulnerabilities of energy networks. In February, Texas suffered a brutal breakdown in its electricity grid. Now, the Colonial Pipeline’s takedown by ransomware, while continuing and still lacking for details, is a shocking reminder that whatever’s connected can be infected.
Unplugging isn’t an option; indeed, transitioning our energy systems to a low-carbon future requires denser, smarter networks. That means learning to live with a multiplying set of threats. In its latest report on ransomware, cybersecurity firm Check Point Software Technologies Ltd. says the number of organizations hit by attacks currently runs about 1,000 a week. Utilities — a grouping that includes the Colonial attack — are the second-most likely target, behind health-care organizations. Early last year, ransomware evolved with the emergence of EKANS, tailored to attack industrial control systems.
Besides technology, there are more human characteristics to consider in dealing with the threat, namely culture and incentives.
“We used to have two worlds in energy. The process area, with generations of technology going back 15 years sometimes, decades, run by engineers who were often older and separate from the IT world,” says Franco Monti, chairman of MSF Partners AG, a cybersecurity consultancy based in Switzerland. The IT world, he adds, tends to have younger employees accustomed to dealing with an operating environment that changes a lot. As industrial facilities and processes have been connected, so have these two worlds, with their differing priorities and dynamics. “Most engineers in OT [operational technology] are not trained or properly aware” of cyber-related risks, Monti says.
In theory, the operational systems that run physical infrastructure such as pipelines are kept separate, or “air gapped,” from enterprise software that runs things like corporate email. Yet “there is no true air-gap system,” says Yanir Laubshtein, vice president of cybersecurity and industry at NanoLock Security Inc., an Israeli firm which counters cyberattacks at the device level. “Someone, somewhere will need to approach the system to maintain or upgrade it.”
While we still don’t know exactly what happened with Colonial, this problem of interfacing systems around critical infrastructure raises many possibilities, either in this case or others to come. For example, ransomware might not even target the actual industrial-control system but instead, say, the invoicing software. If payment processes lock up on an energy network that serves, and bills, thousands of nodes, can that network still actually operate? And if a piece of critical infrastructure has to be shut off as a precaution if an attack is detected at the enterprise level, the end result is that it still isn’t running. One other vulnerability to bear in mind as we navigate the effects of Covid-19 is that more of us are using remote desktop-setups for work, often over less secure internet connections.
Addressing the threat means considering incentives. For the hackers, these are quite obvious. If you can mess with the lifeblood of the biggest economy in the world, you can demand a lot of money and gain a lot of kudos with your peers — as well as other bad actors, including state agents, that might pay for your services in future.
For the infrastructure operators, things are less straightforward. Cybersecurity is a bit like guarding against pipeline leaks or blackouts — everyone expects you to do it but no one, least of all investors, is that interested in talking about it. That must change because absent sufficient safeguards heavier government intervention is inevitable.
Earlier this week, Richard Glick, who chairs the Federal Energy Regulatory Commission, issued a statement calling for mandatory cybersecurity standards for pipelines. Possibly you imagined such things existed already, but no. Unlike power grids, pipeline cybersecurity centers on voluntary standards, reporting and information-sharing under the supervision of the Transportation Security Administration.
A report by the Government Accountability Office published in December 2018 found “significant weaknesses” in the TSA’s management of pipeline security, including lacking a documented process for reviewing the agency’s own guidelines. Inadequate staffing was also a problem, with only six full-time staff in the TSA’s pipeline security branch as of 2018, down from 14 in 2010. The unit at that time had a target of conducting 15 to 23 corporate safety reviews a year which, by its own admission, was less than half the rate needed to stay on top of the 100 most critical pipeline systems in the US.
For a White House that’s already adopted an interventionist approach to the energy sector — and really doesn’t need the blowback of $3-a-gallon gasoline — a push to tighten the screws on infrastructure operators’ handling of cybersecurity would hardly be a leap. A 100-day plan to address weaknesses in the power grid kicked off last month already.
For the companies operating pipelines and other energy networks, the balance of risks is becoming more complex. Their infrastructure must, of necessity, become smarter rather than dumber. Their adversaries are becoming more capable and, it seems, daring. Traditional forms of protection, such as insurance, are unlikely to underwrite events like a mass gasoline shortage. And governments, for whom energy cutoffs present an existential challenge, might well prefer to cajole private actors into adopting stronger cybersecurity but won’t hesitate too long in pushing for mandatory measures, including penalties for failure. The Colonial attack reveals a problem that was already there, but in doing so has changed the context for companies, their executives and employees entirely.
Bloomberg