Regulators push for infrastructure security standards
WASHINGTON — The audacious ransomware attack that shut down a major fuel pipeline and sent Americans scrambling for gasoline in the Southeast this week was not the first time that hackers have disrupted America’s aging, vulnerable energy infrastructure. And it’s unlikely to be the last.
Across the globe, cyberattackers are increasingly taking aim at the energy systems that underpin modern society. A February report from IBM found that the energy industry was the third most targeted sector for such attacks in 2020, behind only finance and manufacturing. That was up from ninth place in 2019.
“This should be a wake-up call,” said Jonathon Monken, a principal at the energy consulting firm Converge Strategies. “When you look at what’s most likely to cause disruptions to energy companies today, I think you have to put cybersecurity risks at the top.”
Despite years of warnings, America’s vast network of pipelines, electric grids and power plants remains acutely vulnerable to cyberattacks with the potential to disrupt energy supplies for millions of people. Dealing with those risks, analysts said, will pose a major challenge for the Biden administration as it seeks hundreds of billions of dollars to modernize the nation’s energy infrastructure and transition to cleaner sources of energy to address climate change.
Regulators are increasingly poised to step in. On Monday, Richard Glick, the chairman of the Federal Energy Regulatory Commission, said it was time to establish mandatory cybersecurity standards for the na
tion’s nearly 3 million miles of oil and gas pipelines, similar to those currently found in the electricity sector.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Glick said in a statement.
The risks to the nation’s energy systems are widespread and varied. Many oil and gas pipelines, for instance, rely on decades-old control systems that are not well defended against more sophisticated cyberattacks and can’t be easily updated.
And it’s not just pipelines. As electric grid operators harness a growing array of digital technologies to help manage the flow of power and cut planet-warming emissions — such as smart thermostats, or far-flung yet interconnected networks of solar arrays — hackers may find new entry points to exploit.
The shutdown last week of the Colonial Pipeline, which stretches 5,500 miles from Texas to New Jersey and transports 45 percent of the East Coast’s fuel supplies, illustrates how devastating such attacks can be.
The day after the shutdown, Colonial acknowledged that its corporate computer systems had been hit by a ransomware attack, in which criminal groups hold data hostage until the victim pays a ransom. The company said that it had shut down the pipeline as a precaution, apparently for fear that the hackers might have obtained information that would enable them to attack parts of the pipeline itself.
Colonial said Wednesday that it had started to resume pipeline operations, although it would take several days to restore full service. But throughout the Southeast, panicked Americans were racing to stock up on gasoline, causing thousands of gas stations to run out of fuel.
While Colonial has yet to explain exactly what triggered the pipeline shutdown, experts said there were plenty of vulnerabilities lurking throughout America’s energy infrastructure.
Many industrial control systems were installed decades ago and run on outdated software, which means that even finding programmers to upgrade the systems can be a challenge. And the operators of vital energy infrastructure — such as pipelines, refineries or power plants — are often reluctant to shut down the flow of fuel or power for extended periods of time to install frequent security patches.
Making things harder still, analysts said, many companies do not always have a good sense of exactly when and where it’s worthwhile to spend money on costly new cybersecurity defenses, in part because of a lack of readily available data on which types of risks they are most likely to face.
“Companies don’t always release a lot of information publicly” about the threats they’re seeing, said Padraic O’Reilly, a cofounder of CyberSaint Security, who works with pipelines and critical infrastructure on cybersecurity. “That can make it hard as an industry to know where to invest.”
Analysts said that the nation’s electric utilities and grid operators were typically further ahead in preparing for cyberattacks than the oil and gas industry, in part because federal regulators have long required cybersecurity standards for the backbone of the nation’s power grid. Still, vulnerabilities remain. “Part of it is the sheer complexity of the grid,” said Reid Sawyer, managing director of the U.S. cyberconsulting practice at Marsh, an insurance firm.
Not all levels of the grid face mandatory standards, for instance, and there are more than 3,000 utilities in the country with varying cybersecurity practices.
Energy companies may never be able to defend themselves against every single potential cyberattack out there, experts said. Instead, businesses and policymakers will need to design broader energy systems that are resilient to attacks and potential shutdowns, by, for instance, building in more redundancies or overrides.
“It’s an old saying in cybersecurity: The people working defense have to be right 100 percent of the time, while the attackers only have to be right once,” Monken said. “That means we have to think a lot harder about contingencies when those defenses fail.”