It was not a matter of if, but when. On Friday, Colonial Pipeline Company, the largest U.S. fuel pipeline, closed its entire 5,500-mile pipeline system that carries liquid fuels, including gasoline, from the Gulf Coast of Texas to New York and surrounding communities. Colonial was forced to take these measures as result of a ransomware cyberattack. As of this Monday, Colonial’s main systems remain offline, but the company working to develop a restart plan for its pipeline system.
The Growing Threat of Ransomware
In prior blog posts, we have discussed the growing threat of ransomware attacks, such as the one perpetrated here. A ransomware attack typically involves blocking access to a victim’s computer files. Once the targeted company pays the specified ransom, access to the files is restored. While ransomware attacks have traditionally focused on companies’ information technology (IT) networks, information security experts are now seeing more and more instances of malware spreading to the operational technology (OT) that control key mechanical equipment. Media reports related to the Colonial attack have not revealed any evidence that the cyberattack succeeded in penetrating the OT responsible for pipeline operations. The ransomware attack, however, underscores — once again — the vulnerability of the aging U.S. energy infrastructure to escalating cyberattacks.
Concerns about an eventual attack on energy companies has been growing in recent years. In the last year alone, cyberattacks have been launched against a large manufacturer’s steel and pipe divisions, as well as oil, gas, aluminum and semiconductor companies. While the majority of these cyberattacks were carried out by uncoordinated and individual actors, modern day attacks are increasingly carried out by criminal groups or nation-state actors, such as North Korea and Russia. Recent media reports related to the Colonial event have identified a Russian criminal group known as DarkSide for this sophisticated attack.
Vulnerability of Gas Pipeline Infrastructure
As automation and digital sensors become more prevalent in moving physical commodities like natural gas or oil, the opportunities for cyber-intrusion similarly increase. This most recent attack evidences this trend. We know in 2018 there was a similar attack on a data network shared by four natural gas pipelines operators. Natural gas pipelines systems are particularly vulnerable to cyberattacks, given the lack of coordinated regulatory oversight within that industry. While the bulk electric system in the U.S. is subject to straight compliance standards developed by multiple agencies, such as the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission, the natural gas pipeline system is subject to minimal, and largely voluntary, oversight by Transportation Security Administration (“TSA”). By any objective standard, the current oversight of the U.S. gas pipeline system is inadequate:
- the nation’s gas pipeline system consists of approximately 2.7 million miles of pipeline across the U.S.;
- TSA has approximately six employees dedicated to this oversight, which amounts to 450,000 miles of pipeline oversight per employee, according to FERC former Chairman Neil Chaterjee’s testimony before the U.S. Senate Committee on Energy and Natural Resources, and a joint letter authored by Chaterjee and now FERC Chairman Richard Glick in June of 2018; and
- TSA has no mandatory compliance or reporting requirements with respect to pipeline cybersecurity, and relies exclusively on company self-reporting.
Given that: (1) natural gas now generates 35% of electricity nationally; (2) the gas and electric industries are now integrally related; and (3) the growing vulnerability of both to cyberattacks, the disparate treatment of the electric and gas industries for cybersecurity purposes becomes increasingly more difficult to justify.
While the growing ransomware attacks to date had previously focused on manufacturing companies, following the Colonial event, cybersecurity risks to critical energy infrastructure can no longer be considered speculative. Steps that can and should be taken immediately include:
- the consolidation of regulatory oversight in a single agency, either DOE or perhaps the Department of Defense;
- the adoption of regulations that include mandatory reporting requirements for cyber-attacks; and
- adoption of regulations that establish protocols for information sharing with other agencies as necessary to protect both the proper functioning of the grid and national security.
Continued inertia or uncoordinated leadership on cybersecurity issues that face the energy industry as a whole will only ensure that cybercriminals will continue to exploit the opportunities created by our own inaction.