Cybersecurity

Colonial Pipeline attack underscores US energy’s vulnerability

The ransomware attack on Colonial Pipeline, the largest supplier of oil to the Northeast region of the United States, is underscoring just how vulnerable critical U.S. infrastructure is to cybercriminals in a way no previous attack has done, say U.S. officials and experts in the field.

The successful breach of Colonial Pipeline’s IT system forced the company to shut down 5,500 miles of pipelines to ensure hackers could not gain access to its operational technology.

The attack was shocking in some ways in that it illustrated how vulnerable a critical and large company such as Colonial Pipeline was to increasingly frequent ransom attacks.

And it also showed such attacks can have a far larger impact. The entire nation could see a rise in gas prices because of the attack on the pipeline, which carries around 45 percent of oil used on the East Coast and runs between Texas and New York.

“There’s obviously much still to learn about how this attack happened, but we can be sure of two things: This is a play that will be run again, and we’re not adequately prepared,” Sen. Ben Sasse (R-Neb.) said in a statement on Saturday. 

Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), the co-chairs of the Cyberspace Solarium Commission (CSC), said Sunday in a separate joint statement that they were “disappointed, though unsurprised” to learn of the incident.

“This interruption of the distribution of refined gasoline and jet fuel underscores the vulnerability of our national critical infrastructure in cyberspace and the need for effective cybersecurity defenses, including a robust public-private collaboration to protect both the pipeline system and electric grid, as well as the infrastructure of the telecommunications and financial services systems,” King and Gallagher said. 

Threats to critical infrastructure have built steadily in recent years, and over the past year during the COVID-19 pandemic have spiked, particularly as more work is done remotely and online.

Both nation states and cyber criminals have increasingly turned to ransomware as the weapon of choice to pressure organizations, including hospitals and schools, to pay large sums to decrypt their networks. 

Utilities have been another key target. A hacker breached and unsuccessfully attempted to poison the water supply for Oldsmar, Fla., earlier this year, while experts said last month that they had seen an “unprecedented” spike in attacks aimed at the electricity sector. 

According to data provided to The Hill by cybersecurity company Check Point Research, hackers attempt to breach American utility companies 260 times per week on average, with the company seeing a 50 percent increase in these attempts since March, and a general increase since the beginning of 2020. 

But despite the steadily increasing cyber threats against critical infrastructure, experts say the U.S. remains worryingly vulnerable.

“Cybercriminals follow the money and the biggest potential payouts are with critical infrastructure,” Marty Edwards, the vice president of OT Security at cybersecurity group Tenable, told The Hill on Monday. 

“What’s worse is that not only are these systems high-value, but many organizations don’t have the adequate people, processes and technology to secure the very complex and sensitive environments,” he said. “Put all of this together and you have a recipe for ongoing, large-scale attacks.”

Tobias Whitney, vice president of energy security solutions at Fortress Information Security, which works with grid operators, told The Hill on Monday that the incident was “eye-opening” for all critical infrastructure sectors. 

“It’s a wake-up call to the rest of all the critical infrastructure industries to really make sure we are not just giving lip service to these issues, that there are actual detailed, nuanced controls we are implementing to thwart these kinds of events,” Whitney said. 

The CSC — a group founded by Congress that is made up of lawmakers, officials, and industry leaders — released a report last year highlighting cyber threats to critical infrastructure, and outlining recommendations for the federal government to take to boost security. 

The group warned that the U.S. is “dangerously insecure” against cyber threats, and that “a major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage.”

King and Gallagher on Sunday pointed to the Colonial Pipeline attack as illustrating the need for the federal government to form a cyber “social contract” with critical infrastructure groups.

“It is well past time for the Federal government to enhance its partnership with these entities and ensure these companies are executing their security responsibilities effectively,” the lawmakers said. 

The incident also puts pressure on President Biden to support greater funding and initiatives around securing critical systems against cyberattacks, an issue left out of his initial infrastructure proposal. Lawmakers on both sides of the aisle have called for providing funding to shore up cybersecurity, pointing to escalating attacks. 

“If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors — rather than progressive wishlists masquerading as infrastructure,” Sasse said. 

Both House Energy and Commerce Committee Chairman Frank Pallone (D-N.J.) and ranking member Cathy McMorris Rodgers (R-Wash.) tweeted over the weekend their support for passing stalled legislation aimed at shoring up cybersecurity of the energy sector.

“This cyberattack is a sharp reminder of just how deeply we all rely on our energy infrastructure every day, and just how crucial it is that we invest in modernizing and protecting it,” Pallone tweeted. 

The Biden administration monitored the situation closely over the weekend. The Department of Energy is leading the response effort, and the Department of Transportation issued an emergency directive on Sunday allowing drivers of trucks carrying oil and diesel fuel to work longer hours.

Other administration officials warned utilities to be on high alert against cyberattacks. 

“@DHSgov is monitoring the ransomware incident affecting Colonial Pipeline,” Homeland Security (DHS) Secretary Alejandro Mayorkas tweeted Saturday. “Every organization must be vigilant and strengthen its cybersecurity posture against ransomware and other types of cyber-attacks.”

While the response to the attack is still in its early stages, King and Gallagher compared the nation’s cyber vulnerabilities to the gaps in preparedness that allowed the September 11 terrorist attacks to take place. 

“One of the gravest lessons from the terrorist attack twenty years ago was that it was a failure of imagination,” the lawmakers said. “America can and must be better – we must be imaginative, and proactive, in navigating the threats of the Age of Cyber Aggression.”