Colonial Pipeline Hinted at Critical Infrastructure Threat

The long gas lines, panic buying and price spikes are fading into memory. But the ransomware attack in early May 2021 on the largest fuel pipeline in the U.S. must continue to drive urgent action by the industry and policymakers to protect the nation’s key infrastructure.

The assault on Colonial Pipeline by a Russia-linked hacker ring may have been the largest-ever cyberattack on an American energy system, but the fact that energy and water grids have become a popular playground for cybercriminals is hardly new.

“With utilities in the U.S. and around the world increasingly moving toward smart grid technology and other upgrades with inherent cyber vulnerabilities, correlative threats from malicious cyberattacks on the North American electric grid continue to grow in frequency and sophistication,” said a Department of Energy report.

The report was issued in August 2016, nearly five years ago.

Does anyone remember when an Iranian hacktivist group executed a cyberattack and gained access to the control system of a dam in Rye Brook, N.Y., outside New York City? At the time, Sen. Charles Schumer, D-N.Y., called the intrusion “a bucket of ice water to the face” and “just the tip of the iceberg.”

That was eight years ago.

History Repeating Itself

The list goes on. In 2012, a malware attack disrupted business operations at one of the world’s largest oil companies, Saudi Aramco, for more than a week. A hack of Ukraine’s electricity supply—believed to be the first ever in the world to shut down a power grid—left 230,000 people without power for several hours two days before Christmas in 2015. Ukraine’s grid was victimized again a year later.

Did you know that, in early February 2021, hackers remotely accessed the water treatment plant in Oldsmar, Florida, a city of 15,000 people in the Tampa area, and briefly changed the levels of lye in the drinking water? With so many cyberattacks in the news these days, it’s understandable if you missed it.

The attack on Colonial Pipeline, which provides about 45% of the U.S. east coast’s fuel, by the Russia-tied hacker group DarkSide should serve as an unpleasant reminder that history keeps repeating itself and that cybersecurity risks to critical U.S. infrastructure are a clear and present danger that must be dealt with. But how?

Handling Critical Infrastructure Threats

Step one is to understand the unique threat landscape facing energy and utility companies.

These organizations are increasingly relying on internet-connected industrial control systems (ICS) to handle the various operational aspects of managing and monitoring fuel transmission and distribution. For example, wireless sensors and software services can control key processes and functions such as the opening and closing of circuit breakers on the grid.

IT/OT convergence—in which information technology and operational technology environments align to give companies better visibility into operations and enable them to save time and money—is a trendy industry buzzword. However, as more OT devices come online and integrate with IT networks, the risk of cyberattack grows.

“Threat actors can use multiple techniques to access those systems and potentially disrupt operations,” the General Accountability Office (GAO) said in a March 2021 report. “Early industrial control systems were not designed with cybersecurity protections in mind because they operated in isolation and were not connected to information technology systems or the internet. Technological advances in these systems have offered advantages to system operators but have also increased the vulnerability of the systems.”

Indeed, many executives in critical infrastructure industries are worried about these risks. In a survey of 400 IT decision makers by analyst firm Forrester Research and cybersecurity company Armis, 74% reported being “very-to-extremely concerned” about the risks posed by poorly managed OT systems.

The Colonial Pipeline attack illustrated the unique security risks of IT/OT convergence. The breach affected the company’s corporate IT network rather than fuel distribution operations directly, but the company proactively shut down operations as a precaution against the hackers subsequently gaining access to the operational technology end. 

In this way, they were recognizing what all such organizations now must—the potential for hackers to move laterally between IT and OT environments and cause extensive damage throughout.

For energy grids, the attack surface will only keep growing as more energy sources like solar and wind and their accompanying operational technologies blend with existing networks.

Step two in bolstering cybersecurity defenses is relying on intelligent technology—artificial intelligence (AI), machine learning (ML) and related technologies—on the OT side to automate repeatable tasks. 

Relying on machines rather than people to, say, configure a router not only is faster and cheaper but it eliminates the chance of introducing human error that can lead to security flaws.

In addition, AI and ML can be applied to instantly detect anomalies in operational technology that could be indicative of a hack. So many of the major breaches in recent years weren’t disclosed until months or even years after the fact because it took too long for humans to discover them.

I hope the Biden administration’s 100-day initiative to study ways to protect the country’s electricity system from cyberattacks takes into account the vital role that automation can play. Comprehensive, end-to-end security across IT and OT is a must going forward.

Here’s hoping the Colonial Pipeline attack is remembered not just for the 1970s oil crisis flashbacks, but as a catalyst for much-needed improvement in protecting our critical infrastructure.

Avatar photo

Robert Tafoya

Robert (Bob) Tafoya is Global Practice Lead for Critical Infrastructure and Industrial IoT at Juniper Networks. Robert has been working with Juniper for more than 15 years, and prior to his role he was Principle Investigator, 2018 U.S. Department of Energy - Industry Partnership for Cybersecurity Delivery Systems (CEDS) Research, Development and Demonstration funding grant - Project Ambassador

robert-tafoya has 1 posts and counting.See all posts by robert-tafoya