In the past decade, we have seen an alarming increase in attacks on critical energy infrastructure, with cyber incidents occurring across any number of geographies and industries. Common attacks can involve ransomware on a corporation’s information technology (IT) network that controls business operations, or a direct attack on a corporation’s operational technology (OT) systems that control industrial infrastructure. The Colonial Pipeline attack appears to have primarily targeted IT systems, however, investigations are still underway, and one only has to look to the evolution of the SolarWinds reporting to understand that it is the nature of cyber incidents to uncover deeper effects as time passes.
In our experience in the oil and natural gas (ONG) industry, there are far more sophisticated adversaries that are penetrating deeper into critical energy infrastructure than in this instance – while it’s great that the problem is beginning to get the attention it deserves, it’s far worse than we think. The potential for disruption and destruction is far larger than the expected weeklong pipeline shutdown – it’s equipment destruction that takes infrastructure offline for far longer, threatening critical services and human life.
The federal government recognized the pipeline cybersecurity threat as early as 2018, when a GAO report (GAO-19-542T) outlined the wide-ranging shortfalls present in pipeline security. GAO found that the Transportation Security Administration’s (TSA) Pipeline Security Branch only had six full-time employees and failed to explicitly address cybersecurity risk when prioritizing pipeline criticality.
While a House Committee hearing was held around the report, HR 370 (Pipeline and LNG Facility Cybersecurity Preparedness Act) was never passed into law. This bill would have given the Department of Energy (DOE) the jurisdictional power to mirror many of its energy security programs for pipeline security. While the federal government has often understood the cybersecurity threats facing our national critical infrastructure, it has systematically underperformed when seeking to address these threats.
Putting the Colonial Pipeline attack in a broader context
The Colonial Pipeline attack certainly should raise concerns, however, it’s important to remember cyberattacks targeting critical infrastructure are anything but new – especially when you adopt a global lens. Whether it’s the Industroyer attack that shut off the power to about 200,000 people in Kiev in 2016 or the 2020 ransomware attack on a U.S. natural gas compression facility, which resulted in pipeline shutdowns for two days, critical infrastructure operators need to take the threat to their operations and human safety far more seriously than they have. It seems bad now, and it is, but it will only get worse as geopolitical tensions flare with cyber adversaries.
Ransomware tends to be a crime of opportunity that is financially motivated. However, it would be easy for a more sophisticated nation-state cyber adversary to use a ransomware attack to distract from its true purposes, which could include conducting reconnaissance to set up a future disabling attack on critical infrastructure.
While there is a lack of public data on the frequency of such incidents, it’s safe to assume attempted attacks are extremely common due to the prevalence of phishing, and successes are not rare. Reporting requirements vary based on the criticality of the victim facility and the severity of the incident, but the thresholds for mandatory reporting are often high, and most incidents are only represented in voluntary government reporting and industry information sharing.
Long-term implications of the attack
There will likely be long-term implications of the Colonial Pipeline ransomware attack from cyber adversaries, the federal government and industry. This cyberattack will further embolden nation-state cyber adversaries and cyber criminals to target and seek to disrupt critical energy infrastructure operations, especially since the ransom was paid. Nation-state adversaries are and will continue to use cyberattacks to damage civilian critical infrastructure with little regard for (or the explicit intent of) the endangerment of human life.
Historically, critical infrastructure industries have tended to be compliance-driven, and both the federal government and industry have tended to be reactive in their approach to cybersecurity. In the wake of the SolarWinds and Microsoft Exchange campaigns, the Oldsmar water hack and this pipeline attack, the Biden administration has shown resolve through planned executive orders and initiatives to begin addressing the problems of critical infrastructure cybersecurity.
Some say the U.S. needs to sanction nations that fail to crack down on cyber criminals waging attacks from their countries in order to address the scourge of ransomware, but attribution is incredibly difficult in cyberspace, potentially creating geopolitical issues that outweigh the benefits. From a high level, responses of both cyber (proactive defense) and non-cyber (legal and political retribution) means will be critical to addressing the problem. A long-term implication of this attack and others will likely be increased cybersecurity regulation around information sharing, breach disclosure and cyber best practices.
We can certainly expect to see more of these types of attacks, as critical infrastructure increasingly becomes “fair game” in the eyes of cyber bad actors. Failure to properly address these increasing threats will have severe economic and human safety consequences.
Critical infrastructure must do better, but it can’t do it alone
As IT and OT systems have converged, cyber adversaries have become increasingly aggressive in pursuing cyber-physical effects such as critical infrastructure downtime, asset damage and process manipulation. This has put business continuity and human safety at risk, and further ensured that adopting zero-trust visibility at every level of the industrial control system (ICS) is critical to an organization’s security posture.
Overall, critical infrastructure industries tend to respond to these events by explaining away the threat and why it’s relevant to them rather than taking steps to address it. We can only keep hoping this time is different. Critical infrastructure organizations need to realize having a better security posture than the latest victim is not the gold standard, but the low watermark. Companies must properly invest in robust OT security programs and teams.
However, they can’t do it alone. As cyberattacks put civilian infrastructure on the front lines, building out a robust cybersecurity posture will require the federal government to address this national security threat in the form of funding, information sharing and technical guidance. The slew of executive orders and proposals surrounding critical infrastructure security in recent months in both the executive and legislative branches give weight to a case for optimism, however, as always, the prospects for success will come down to execution.