Gasoline prices are above $3 a gallon in 16 states, approaching a 6.5 year high after a major pipeline outage and fears abound of a deepening supply shortfall. The attackers responsible for this price spike, Darkside, now express regret for “creating problems for society,” after a cyberattack against a 5,500-mile pipeline in the United States. The hackers may express remorse for inflicting financial pain on consumers, but the damage is real, and the impacts continue to reverberate.
On Friday, the Colonial Pipeline, one of the U.S.’ most important pipelines that on a regular day carries 2.5 million barrels per day or 45 percent of the East Coast’s supply of diesel, petrol, heating oil and jet fuel from refineries in Texas and the Gulf Coast to the Northeast had their information technology systems disrupted by hackers. The company is assuring the five lines currently offline will be operational under a phased restart and fully functional by the end of this week. It has been called one of the most disruptive ransomware schemes with massive fuel disruptions across the northeast. Gas prices are up, but more importantly, the attack is a potent reminder the cybercrime is a growing threat to critical energy infrastructure and domestic energy security.
The federal government took swift action with the Department of Transportation’s Federal Motor Carrier Administration, easing restrictions for motor carriers and drivers transporting gasoline, diesel, jet fuel and other refined petroleum products in the North/Southeast region impacted by the shutdown of the pipeline. But this is a reactive step — and therein lies a big part of the problem. The energy sector is becoming more vulnerable to cyberattacks. Before this attack, the attention around cybersecurity threats was on powerplants and grids, but now the focus is also shifting toward threats to refineries, pipelines and ports. Malware such as the one used to attack Colonial can disrupt operations and cause havoc on markets and supply security.
Let’s be clear. What transpired at Colonial Pipeline was the ransomware infection of computers that control the company’s business operations and not the operational technology (OT). OT technologies that sense the environment and control physical processes would have been a red alert regarding the motives and intent of the criminal group. In this case, the group controlling the DarkSide ransomware service seems to regret the disruption it caused. It has instituted an operational change to assure that significant consequences on society do not occur again from their operations. This is in stark contrast to other cyber groups, such as Sandworm, which directly accessed OT environments to shut down the grid in Ukraine.
However, this incident should not be a surprise or a “wake-up call.” It follows on the heels of malicious cyber activities that have disrupted the networks upon which critical infrastructure globally depends. Malware such as WannaCry, NotPetya, Bad Rabbit, BlackEnergy 3, Industroyer and CrashOverride are prevalent, and not fringe groups but becoming ever larger businesses seeking profit and dramatic impact.
Each one highlights different aspects of threat actor capabilities, including social engineering techniques employed during phishing campaigns designed to trick users into opening attachments containing malware payloads and having worm functionality built into malware, allowing infections across entire networks —even if only a single user opens an infected attachment. The common denominator across all incidents is that society depends on a technical substrate built on the foundation of faulty technology that is readily exploitable by hackers who are now taking advantage of hacking as a service.
While the Colonial Pipeline incident forensics and investigation is ongoing, it is essential to note that as in many cases, what may have been exploited to deliver the ransomware might not have relied on a new vulnerability but rather an old one that had not been patched. Without swift identification and punishment of the cybercriminal responsible for the incident, pipelines across the nation and globally might have just been highlighted as a lucrative target. Therefore, pipeline cybersecurity operations center operators across the U.S. should learn lessons rapidly and coordinate to begin taking their operations offline to patch their systems to deny criminal groups further opportunities to exploit commoditized malware packages that could lead to similar ransomware infection and subsequent disruptions.
In December 2020, before taking office as president, Joe Biden suggested cybersecurity would be a top priority for his administration, but when looking at the $2.5 trillion infrastructure investments in cybersecurity are missing. How to protect the technology that supports critical energy infrastructure — and keep the hackers out of the gate — is still in need of answers. Risks are not going away, hackers are here to stay and seek ways to destabilize and disrupt our everyday lives, and the economic stakes are enormous. As the United States makes new energy infrastructure build a part of its build back better plan, more attention needs to be on cybersecurity requirements for projects.
COVID-19 relief legislation targeted $650 million for the Cybersecurity and Infrastructure Security Agency (CISA), a paltry amount when considering the costs of being unprepared. The Colonial Pipeline will be back up and running in a few days, but more advanced cyber deterrence strategies need to be more firmly integrated at both the national and corporate levels. Designing security into infrastructure projects now is an investment in resilience for the future. Cyber risks are changing, and we need to be prepared at all levels. Inaction will be a national regret.
Carolyn Kissane, Ph.D., M.A., serves as the academic director of the graduate programs in Global Affairs and Global Security, Conflict and Cyber at the NYU Center for Global Affairs and is a clinical professor. She is also the director of the NYU SPS Energy, Climate Justice and Sustainability Lab.
Pano Yannakogeorgos, Ph.D., is a clinical associate professor and program director of Global Security, Conflict and Cyber NYU SPS Center for Global Affairs.