Ransomware cyberattack on the Colonial Pipeline in May brought a short-term disruption of gasoline supplies to the East Coast of the United States. Experts warned the assault has longer-term implications for the oil and gas industry, and for the nation’s critical infrastructure.
The 5,500-mile pipeline is a key U.S. energy link, normally supplying East Coast states with 45 percent of their fuel, according to Colonial officials. It went offline after a cyber-hacker group infiltrated the company’s servers and encrypted some of its data.
Following the attack, government agencies quickly vowed to strengthen the nation’s cybersecurity efforts. But the great majority of U.S. energy supply – more than three-quarters, by many estimates – is in the hands of private industry.
Bloomberg News Service reported the Colonial incident “reflects a historically lax cybersecurity culture in the oil and gas industry.”
It cited Brian Walker, a Dallas risk advisory executive, who estimated small energy companies spend about 0.25 percent of revenue on security, while big electric companies spend 0.75 percent and large tech companies and banks about 1.5 percent.
Who Is Responsible to Guard Against Cyberattack?
The U.S. Department of Energy’s CESER program, started in 2018, is so new that it doesn’t have its own Wikipedia page.
It might get one.
CESER stands for the Office of Cybersecurity, Energy Security and Emergency Response. Its mission includes safeguarding critical U.S. energy infrastructure against evolving cyber and physical threats.
The DOE office counsels and assists the energy industry along with the government’s principal cyber-protection arm, the Cybersecurity and Infrastructure Security Agency, a standalone federal agency operating under U.S. Department of Homeland Security oversight.
“Oil and gas is a part of one of the 16 critical infrastructure sectors identified by CISA, the energy sector. This (attack) has obviously had an impact and we need to do what we can to mitigate risk,” said cybersecurity expert Mauricio Papa.
Papa teaches at the University of Tulsa, where he is Brock associate professor in the Tandy School of Computer Science.
He said CISA regularly reaches out to industry and to individuals in the cybersecurity field to provide information and updates.
“In general, they’re in contact to provide advice and guidance. You would expect all these companies to have their own departments or offices in charge of cybersecurity,” he noted.
Counting on the Mercy of Criminals
Apparently, the successful Colonial Pipeline attack could have been worse, according to Papa, because the hackers encrypted data but did not corrupt or take control of operations software.
“You have IT (information technology) and OT (operations technology). Obviously, you have to be able to protect both. My understanding of the Colonial hack is that they did not get to the operational side. That would have made matters much worse,” he said.
“Once you have control of the OT side of the network, then risk increases substantially,” he added.
At the same time as the pipeline shutdown, the city government in Tulsa was clearing malware from its own computer systems. City officials said ransomware apparently infected the network in April, but did not identify a suspected source of the assault.
“Ransomware attacks now are pretty common. They seem to have worked for the bad guys. In the case of Colonial Pipeline, it seems to have been much more of an organized group,” Papa said.
The FBI reported that ransomware used in the Colonial attack was linked to the hacker group DarkSide, operating out of eastern Europe and Russia. In a twist on the computer industry’s software-as-a-service (SaaS) model, DarkSide reportedly has offered its encryption capabilities and ransomware as a service to other cyber-hacking groups.
“It’s a model they have – they offer this as a service to bad actors. It’s unbelievable, the organization they have,” Papa commented.
Fuel deliveries returned to normal levels on the Colonial Pipeline in just over a week after its precautionary shutdown. Depletion of gasoline at some East Coast service stations in May apparently resulted more from panic buying and some fuel hoarding than from the delivery interruption.
Energy systems like pipelines and power grids not only operate using computer software, they also rely on connections with other networks, making them more open to cyberattacks.
“Many of the things we do are automated and actions are communicated and coordinated over a network. That’s what makes us vulnerable – all the interconnection,” Papa said.
Protection against ransomware attacks requires heightened awareness of the threat and of the methods used by hackers, as well as state-of-the art technology protection for computer systems and networks, according to Papa.
“The first step in that kind of attack is having access to a protected resource. There are several ways to do that,” he said.
“Raising awareness is critical, because often during this phase there’s a human in the loop to give the attackers access,” he added.
That access is usually unintentional – the result of phishing scams, stolen or poorly guarded passwords, accessing virus-laden Web sites, carelessness or other bad computer-user habits. Clicking on links or attachments in unsolicited emails is never a good idea, Papa said.
“Then there are things you can do on the technological side, making sure your system is properly designed, your network is protected,” he said.
More Common Than You Know
Colonial Pipeline initially announced it would not pay to regain control of its encrypted data, but later acknowledged paying about $4.4 million. Company CEO Joseph Blount called the payment controversial because it could encourage future ransom attacks, but said it “was the right thing to do for the country.”
“Many victims of those attacks fly under the radar. They pay the ransom and we may never hear about it,” Papa noted.
That makes it impossible to know the exact size and scope of ransomware attacks, although the FBI and other agencies and online services have estimates of their extent in the United States, Papa said.
“Anyone who has operations on the Internet is vulnerable to attack. They know they have you once they’ve encrypted your data,” Papa said.
“There are things we need to do on the human side and there are things we need to do on the technological side – making sure you follow standard practices, making sure your networks are secure,” he said.
Papa thinks ransomware attacks have reached the point where government and industry should go on the offensive against criminal cyber-hackers, and not simply rely on defensive measures. For the future, he said, “we have to keep fighting.”
“We’re getting better,” he noted, “but sometimes we’re playing cat-and-mouse. We need to be more proactive rather than reactive.”