Pipeline ransom attack exposes risk of digitising US infrastructure

Motorists on the US east coast have learnt to bear up when problems hit their most important fuel artery, the Colonial pipeline. A hurricane shut it down in 2017. An explosion halted volumes the year before. 

But last week drivers queued at petrol stations because of a different danger: hackers had infected the pipeline’s information technology systems with ransomware, forcing its owner to stop the flow of 2.5m barrels a day of petroleum products. 

The attack exposed how a push to digitise critical infrastructure has created new opportunities for cyber criminals, putting at risk essential goods and services such as energy, water and healthcare. “I think what happened last week is the most likely model for what is ahead of us,” said Chris Williams, cyber solution architect at Capgemini North America. 

Digitisation has enabled industrial companies and utilities to increase efficiency with greater oversight and control of their sprawling operations, which in the case of the Colonial pipeline extends 5,500 miles through a network branching from Texas to New Jersey. 

But old operational technology systems, some installed before the internet, tend to have outdated security and can be difficult to upgrade. Vulnerabilities in office IT systems can offer entry points for hackers to later go after control systems. Digital adoption has not been matched by sufficient investment in cyber defences, analysts say. 

“Many OT systems still don’t have basic security controls,” said Simon Hodgkinson, former chief information security officer at BP and a board adviser at the IT security group Reliance acsn.

Since 2019, US critical infrastructure targets have suffered about 700 ransomware attacks, including 100 this year, according to data from Temple University in Philadelphia. Hackers in February infiltrated the water supply of a city in Florida, while this month they caused disruption at a San Diego hospital chain. Last year hackers forced an unnamed natural gas compressor station to shut down, US cyber officials said. 

Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, are properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos. A recent survey by Siemens found that just 31 per cent of utilities felt well prepared to respond to a breach. 

“The problem is that attacks move a lot faster than industries that are quote-unquote ‘old school’ are used to moving,” Katz said. “So, the speeds are different, and before slower-moving industries can catch on, there’s already a new attack out there and new threats.” 

But reconfiguring traditional security systems to account for the ever-changing nature of cyber threats is costly. Padraic O’Reilly, an infrastructure cyber security adviser and co-founder of the cyber risk firm CyberSaint, said companies needed to avoid “patching” or “snapping on” security systems and rather transition into newer systems where security had been built in, and “the problem with that is that it’s very expensive”, he said. 

In the face of an evolving array of 21st-century risks, we have to . . . reassess the authorities that we can bring to bear

Pipeline infrastructure is largely operated by private capital, meaning there is often a drive to cut costs where possible. 

“Over time, as we get more financially based players investing in energy infrastructure, replacing energy companies themselves, the higher the impulse will be to cut costs,” said Amy Myers Jaffe, a professor at Tufts University’s Fletcher School and author of the book Energy’s Digital Future. “And that will be dangerous if cutting costs are done without enough care to the huge requirements for security.” 

The administration of Joe Biden has taken steps to tighten cyber security for key projects. The US president this week said he would tie $20bn in infrastructure investments under his proposed American Jobs Plan to commitments to modernise cyber security. 

National security risks are blurring the line between private businesses and public necessity, with calls for government to do more to ensure critical infrastructure companies are prepared for attacks and to help them respond when they do occur. Colonial’s chief executive Joseph Blount told The Wall Street Journal this week that paying a ransom of $4.4m was “the right thing to do for the country”.

“I think that boundary we’ve artificially maintained . . . no longer serves us in a world that’s growing so porous,” said John McClurg, chief information security officer at BlackBerry and a former FBI branch chief. 

The oil and gas sector has been criticised for lax cyber security regulation. Standards for American pipeline infrastructure are set by the Transportation Security Administration, the government agency in charge of airport screenings. It has traditionally been understaffed and underfunded: until last year it had just six full-time staff members dealing with pipeline security, though the number has since increased to 34.

Rich Glick, chair of the Federal Energy Regulatory Commission, which is responsible for setting cyber security rules for the electricity grid, said last week that while stringent cyber regulations applied to the power grid, “there are no comparable mandatory standards” for the almost 3m miles of pipelines in the US.

Neil Chatterjee, a FERC commissioner, said responsibility should be stripped from the TSA and shifted to the US Department of Energy. “I was worried about the economic and national security implications of such an attack and we’re seeing that in real time with what happened with Colonial,” he said. 

The American Petroleum Institute, an oil lobby group, wants future cyber security policies to “be focused on improving information-sharing and collaboration between the public and private sectors”, said Suzanne Lemieux, API’s manager of operations security and emergency response. 

But in Washington, government agencies may go further. Calling the Colonial pipeline hack a “stark reminder” of the need to harden critical infrastructure, US energy secretary Jennifer Granholm said on Wednesday that “in the face of an evolving array of 21st-century risks, we have to rethink our approach to security, and to reassess the authorities that we can bring to bear during these kinds of emergencies”.

Twice weekly newsletter

Energy is the world’s indispensable business and Energy Source is its newsletter. Every Tuesday and Thursday, direct to your inbox, Energy Source brings you essential news, forward-thinking analysis and insider intelligence. Sign up here.