The cyberattack that forced the Colonial Pipeline offline is just one failure to address existing weaknesses and an escalating “ransomware pandemic,” experts tell The Verge. That leaves the nation’s energy infrastructure especially vulnerable, even though there are basic steps that could have been taken to prevent the crisis that’s unfolding now.
“Honestly, I think for anyone who’s been tracking ransomware closely, this really shouldn’t be a surprise,” says Philip Reiner, CEO of the nonprofit Institute for Security and Technology. “This is yet another example of what is really a ransomware pandemic that needs to be addressed at the highest level.”
An escalating threat from bad actors, like the criminal group DarkSide that’s believed to be behind the attack on Colonial Pipeline, is coinciding with more potential weak points in the energy sector’s cyber infrastructure. Reiner says ransomware poses growing risks to critical infrastructure beyond energy, including health care and financial systems. Hackers have targeted tech, too. A subcontractor for Apple was hit with a $50 million ransomware attack just last month. But the energy sector seems particularly vulnerable to all kinds of cyber threats.
“This is the kind of thing that keeps folks like us awake at night,” says Tucker Bailey, a partner and cybersecurity expert at consultancy McKinsey & Company. “We’ve known that the [vulnerabilities] have been there for a while.”
Almost half of all the East Coast’s fuel typically travels through the Colonial Pipeline, which has been shuttered since May 7th. The pipeline company’s IT system fell victim to ransomware, a type of cyber attack in which hackers demand payment to bring systems back online. DarkSide also stole data from the company and threatened to publish it online, Bloomberg reported.
The frequency and severity of attacks against utility systems is on the rise, according to the National Regulatory Research Institute. Fifty-six percent of utility professionals surveyed by Siemens in 2019 said they had experienced at least one attack over the previous year that led to an outage or a loss of private information. More than a third of the 796 “cyber incidents” reported to the Department of Homeland Security between 2013 and 2015 took place in the energy sector.
A collision of a couple key factors could drive those numbers up. First, there are more state actors, cybercriminals, and hacktivists targeting critical infrastructure, according to experts. Second, an increasingly digital power sector opens up more opportunities for hackers to attack.
“As everything is becoming more computerized, the controls for our critical infrastructure are also more computerized and steps need to be taken to ensure that they are protected from cyber attacks,” says Leslie Gordon, acting director for homeland security and justice at the watchdog Government Accountability Office (GAO). She says what happened to Colonial Pipeline is “an example of a failure to protect critical infrastructure.”
Companies are regularly failing to practice even basic security hygiene, which leaves critical infrastructure open to attack. Good security hygiene can include relatively simple things like requiring multi-factor authentication, having response plans ready, and keeping backup systems in place. With Colonial Pipeline, failing to keep its network segmented — so that bad actors can’t easily hop from one piece of the system to the next — was a big problem that shows a lack of cyber hygiene, according to Reiner. Colonial’s IT system was attacked, but that was connected to the company’s operating system, so it shut that down, too.
“One of the things we see here is another example of basic steps not being taken in order to secure your systems,” Reiner says. “Cyber hygiene, or the lack thereof, is really one of the greatest causes of cyber crime. It’s not so much that these guys are so good. It’s just people leave very basic things undone.”
President Joe Biden is expected to announce an executive order that could require contractors the federal government works with to take those kinds of safety measures, and last month, the administration launched a 100-day plan to tackle “increasing cyber threats” to the US electric system. It includes working with utilities to build up their capacity to stop, detect, and respond to attacks. The Department of Energy also launched new research programs in March to make the energy sector more resilient to hazards, both physical and cyber.
But a workforce shortage is another lingering problem for the energy sector that could jeopardize those plans. There’s an estimated shortage of 498,480 cybersecurity workers in the US, a 2019 report found. The Transportation Security Administration, which oversees pipeline security, is short on inspectors and lacks a strategic workforce development plan to help it “carry out its pipeline security responsibilities,” a 2018 report by the GAO found. Three years after the agency recommended that the TSA fill that gap, the GAO says that has yet to happen (although the TSA reports that it’s in the middle of completing a workforce plan).
Until these basic problems are solved, the threat of cyberattacks will loom large over the energy system and other critical infrastructure. And while the attacks are virtual, the consequences can be quickly felt on the ground. The longer the Colonial Pipeline stays out of commission, the bigger the risk of gas stations, jet fuel, and even home heating oil running dry. The pipeline company did not respond to The Verge by time of publication but said in a statement that it’s bringing parts of its pipeline online in stages — with hopes that most operations will be restored by the end of the week.