Skip to main content

The cybersecurity ‘pandemic’ that led to the Colonial Pipeline disaster

The cybersecurity ‘pandemic’ that led to the Colonial Pipeline disaster


A lack of basic hygiene leaves critical infrastructure open for attack

Share this story

Cyberattack Forces Shutdown Of Major U.S. Fuel Pipeline
WOODBRIDGE, NEW JERSEY - MAY 10: Fuel holding tanks are seen at Colonial Pipeline’s Linden Junction Tank Farm on May 10, 2021 in Woodbridge, New Jersey. Alpharetta, Georgia-based Colonial Pipeline, which has the largest fuel pipeline, was forced to shut down its oil and gas pipeline system on Friday after a ransomware attack that has slowed down the transportation of oil in the eastern U.S.
Photo by Michael M. Santiago/Getty Images

The cyberattack that forced the Colonial Pipeline offline is just one failure to address existing weaknesses and an escalating “ransomware pandemic,” experts tell The Verge. That leaves the nation’s energy infrastructure especially vulnerable, even though there are basic steps that could have been taken to prevent the crisis that’s unfolding now.  

“Yet another example of what is really a ransomware pandemic”

“Honestly, I think for anyone who’s been tracking ransomware closely, this really shouldn’t be a surprise,” says Philip Reiner, CEO of the nonprofit Institute for Security and Technology. “This is yet another example of what is really a ransomware pandemic that needs to be addressed at the highest level.”

An escalating threat from bad actors, like the criminal group DarkSide that’s believed to be behind the attack on Colonial Pipeline, is coinciding with more potential weak points in the energy sector’s cyber infrastructure. Reiner says ransomware poses growing risks to critical infrastructure beyond energy, including health care and financial systems. Hackers have targeted tech, too. A subcontractor for Apple was hit with a $50 million ransomware attack just last month. But the energy sector seems particularly vulnerable to all kinds of cyber threats. 

“This is the kind of thing that keeps folks like us awake at night,” says Tucker Bailey, a partner and cybersecurity expert at consultancy McKinsey & Company. “We’ve known that the [vulnerabilities] have been there for a while.”

Almost half of all the East Coast’s fuel typically travels through the Colonial Pipeline, which has been shuttered since May 7th. The pipeline company’s IT system fell victim to ransomware, a type of cyber attack in which hackers demand payment to bring systems back online. DarkSide also stole data from the company and threatened to publish it online, Bloomberg reported.

The frequency and severity of attacks against utility systems is on the rise, according to the National Regulatory Research Institute. Fifty-six percent of utility professionals surveyed by Siemens in 2019 said they had experienced at least one attack over the previous year that led to an outage or a loss of private information. More than a third of the 796 “cyber incidents” reported to the Department of Homeland Security between 2013 and 2015 took place in the energy sector.

A collision of a couple key factors could drive those numbers up. First, there are more state actors, cybercriminals, and hacktivists targeting critical infrastructure, according to experts. Second, an increasingly digital power sector opens up more opportunities for hackers to attack. 

“As everything is becoming more computerized, the controls for our critical infrastructure are also more computerized and steps need to be taken to ensure that they are protected from cyber attacks,” says Leslie Gordon, acting director for homeland security and justice at the watchdog Government Accountability Office (GAO). She says what happened to Colonial Pipeline is “an example of a failure to protect critical infrastructure.”

Companies are regularly failing to practice even basic security hygiene, which leaves critical infrastructure open to attack. Good security hygiene can include relatively simple things like requiring multi-factor authentication, having response plans ready, and keeping backup systems in place. With Colonial Pipeline, failing to keep its network segmented — so that bad actors can’t easily hop from one piece of the system to the next — was a big problem that shows a lack of cyber hygiene, according to Reiner. Colonial’s IT system was attacked, but that was connected to the company’s operating system, so it shut that down, too.  

“One of the greatest causes of cyber crime”

“One of the things we see here is another example of basic steps not being taken in order to secure your systems,” Reiner says. “Cyber hygiene, or the lack thereof, is really one of the greatest causes of cyber crime. It’s not so much that these guys are so good. It’s just people leave very basic things undone.” 

President Joe Biden is expected to announce an executive order that could require contractors the federal government works with to take those kinds of safety measures, and last month, the administration launched a 100-day plan to tackle “increasing cyber threats” to the US electric system. It includes working with utilities to build up their capacity to stop, detect, and respond to attacks. The Department of Energy also launched new research programs in March to make the energy sector more resilient to hazards, both physical and cyber. 

But a workforce shortage is another lingering problem for the energy sector that could jeopardize those plans. There’s an estimated shortage of 498,480 cybersecurity workers in the US, a 2019 report found. The Transportation Security Administration, which oversees pipeline security, is short on inspectors and lacks a strategic workforce development plan to help it “carry out its pipeline security responsibilities,” a 2018 report by the GAO found. Three years after the agency recommended that the TSA fill that gap, the GAO says that has yet to happen (although the TSA reports that it’s in the middle of completing a workforce plan). 

Until these basic problems are solved, the threat of cyberattacks will loom large over the energy system and other critical infrastructure. And while the attacks are virtual, the consequences can be quickly felt on the ground. The longer the Colonial Pipeline stays out of commission, the bigger the risk of gas stations, jet fuel, and even home heating oil running dry. The pipeline company did not respond to The Verge by time of publication but said in a statement that it’s bringing parts of its pipeline online in stages — with hopes that most operations will be restored by the end of the week.

Today’s Storystream

Feed refreshed Sep 24 Striking out

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.