This week, hackers believed to be the DarkSide ransom gang operating out of Eastern Europe, possibly Russia, targeted Colonial Pipeline, infecting its information-technology systems though not its operational control systems. It seems to me the hack is a national security issue, as the pipeline which runs some 5,500 miles from the Gulf State refineries in Houston to customers in the southern and eastern part of the country all the way to New Jersey. It supplies 45 percent of the fuel in this swath and serves 50 million Americans and several major airports.
The White House apparently takes a different view announcing it’s a “private sector decision” as to whether Colonial should pay a ransom to get its pipeline back on line. Anne Neuberger is deputy national security adviser for cyber and emerging technology:
Ms. Neuberger declined to comment on whether Colonial has paid a ransom, and the company hasn’t said so publicly either. She also said the administration hadn’t made a recommendation to Colonial on whether it should pay.
Normally the FBI encourages victims to not pay the ransoms to avoid fueling a booming criminal industry, but Ms. Neuberger said the administration recognized that is often not a feasible option for some companies, especially those that don’t have backup files or other means of recovering data.
Of course, paying the ransom will only make DarkSide’s tools more valuable to both them and to those they sell the programs to, meaning we’ll see more of this and with ever-increasing deleterious economic and energy consequences.
The shape of things to come?
It’s not as if we are in the dark about the need to safeguard cyberspace in critical infrastructure. We have in the Department of Homeland security and a National Cybersecurity and Communications Integration Center (NCCIC), with this mission:
DHS coordinates with sector specific agencies, other federal agencies, and private sector partners to share information on and analysis of cyber threats and vulnerabilities and to understand more fully the interdependency of infrastructure systems nationwide. This collective approach to prevent, protect against, mitigate, respond to, investigate, and recover from cyber incidents prioritizes understanding and meeting the needs of our partners, and is consistent with the growing recognition among corporate leaders that cyber and physical security are interdependent and must be core aspects of their risk management strategies.
In an email communication to me Eric Goldstein, executive assistant director for cybersecurity of the Cybersecurity and Infrastructure Security Agency, states they are on the case of the Colonial Pipeline hack. “We are engaged with the company and our interagency partners regarding the situation," he said. "This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”
Colonial is in the meantime manually operating a segment of the North Carolina to Maryland stream. Gas-station lines have formed in several of the southern states, and truckers are warning of a variety of supply chain problems. The company indicated they may be fully operational in a few days but Mark Ayala, director of industrial-control system security 1898 & Co., suggests it may take longer:
Given the breadth of the unknowns, the discovery, containment decontamination and remediation effort will be lengthy and likely to result in a gradual return to operations.
The immediate impact may be less on the immediate availability of gas in the affected corridor than on the rising cost of gas as people prepare their getaways after over a year of Covid-19 lockdowns. The issue that most concerns me, however, is the need to update cybersecurity on energy infrastructure.
Here we go again.
There are political and technical problems with doing this, even if we make the assumption that government cybersecurity operations are doing their job and private firms are working hard to protect it. Mandiant (part of FireEye) did just that in successfully limiting the Colonial damage by persuading a hosting provider to shut down a server that contained the stolen data, thus isolating it from the hackers.
Last year CISA warned pipeline operators about the threat of ransomware. It doesn’t seem Colonial adequately responded to the warning. Why not? There are several practical problems with hardening cybersecurity on pipelines. Indeed, such risks seem to exist throughout the energy grid:
- “Legacy assets,” decades old systems to which more recent digital technology has been added on, making them more vulnerable, not less.
- The technology is difficult to update because there’s no down time for the operations, and with no downtime it’s difficult to update software. You cannot shut down a pipeline regularly to update your technology.
- The reluctance of rate regulators to allow expansion of cybersecurity budgets.
- The recent practice of industrial companies to converge their operational technology and information technology, which makes it harder to contain infections.
And then there's overconfidence:
More than two-thirds of executives at companies that transport or store oil and gas said their organizations are ready to respond to a breach, according to a 2020 survey by the law firm Jones Walker LLP. But many don’t take basic precautions, such as encrypting data or conducting dry runs of attacks, said Andy Lee, who chairs the firm’s privacy and security team. “The overconfidence issue is a serious phenomenon,” Mr. Lee said.
These are the practical constraints on limiting malware and ransomware attacks on critical energy sectors, like pipelines. And then there’s the political handicap. Despite sending our warnings and calling together task forces of bureaucrats to discuss the issue, the focus of the Biden Administration is not on shoring up cyber liabilities. To it, “infrastructure” means doing away with fossil fuels and making the grid even more vulnerable. In fact, as the editors of the Wall Street Journal argue:
The U.S. government could help companies harden their information systems, but the risks to infrastructure will grow unless the U.S. makes the energy system more resilient and redundant. That won’t happen with Mr. Biden’s 500,000 new EV charging stations and rooftop solar panels on every home.
Just the opposite. The grid and other infrastructure will become more vulnerable as more systems get electrified and connected. The Government Accountability Office warned in March that home solar panels, EV chargers and “smart” appliances that companies control remotely are creating new entry points for cyber criminals to take over the grid.
Defending the U.S. against cyber attacks is the Biden Administration’s most important infrastructure job, but that’s not what its $2.3 trillion proposal would do.
Buckle up for a bumpy ride.