HOW TO HACK A PIPELINE
COLONIAL ATTACK PUTS ENERGY CYBERSECURITY IN SPOTLIGHT
The weekend ransomware attack that forced Colonial Pipeline Co. to shut the largest U.S. fuel pipeline has been one of the most disruptive cybersecurity incidents ever reported.
While Colonial hopes to have operations restored by the end of the week, questions about the attack remain. For one, how did the hackers, believed to be a Russian group called Darkside, gain access to the Colonial’s systems? And just how secure is pipeline infrastructure more generally?
How can you attack a pipeline?
While Colonial has yet to confirm how its network was breached, at least one cybersecurity expert pointed to an industry-wide weakness in pipeline networks as a potential point of entry.
John Cusimano, vice-president at aeCyber-Solutions, a South Carolina-based company that specializes in industrial cybersecurity, noted that pipeline companies typically use a system known as a supervisory control and data acquisition (SCADA) network, in which a central computer system branches out to all other mechanical devices on the network. For pipelines, the central computer operates everything from terminals and computers to pumping stations, tank farms and remote valves that isolate sections along the pipeline, providing complete control of flow and pressure across the network.
Cusimano said that a common gap in the industry is the lack of segmentation of control between the central computer and the other device in the SCADA network.
“These are very large networks covering extensive distances but they are typically ‘flat’, from a network segmentation standpoint,” Cusimano said in an email. “This means that once someone gains access to the SCADA network they have access to every device on the network.”
While the company’s IT network for business communications is typically secured, Cusimano said pipeline companies have hundreds of miles of pipeline with facilities scattered across remote areas with little to no physical cybersecurity infrastructure. For a variety of reasons, these devices and networks are not maintained and updated at the same level as the IT networks and in many cases, the SCADA software is connected to an outdated machine that, because of its age, can’t be updated to modern operating systems.
Colonial did not immediately respond to questions about how the attack unfolded or the nature of the network breach. While the SCADA networks could be the source, Cusimano said an attack on the company’s central IT network was also a possibility.
Bloomberg News reported that the ransomware ultimately managed to reach Colonial’s administrative network and locked employees out of company computers. Darkside hackers also reportedly stole almost 100 gigabytes worth of data before the group encrypted the company’s files and demanded payment in exchange for unlocking them.
How bad could it have been?
Colonial said in a statement that it was forced to shut down its four mainlines on Friday, taking out a large portion of its 5,500 mile pipeline infrastructure. While there was no indication of physical damage, the scope of the shutdown suggested that mechanical networks may have been at risk.
Cusimano told the Financial Post that ransomware attacks usually leave administrators locked out their systems and devices until they provide a ransom to the hackers. However, a targeted attack on physical networks could have stark consequences.
“It could be a lot worse if this malware was also more targeted and able to actually modify the control algorithms,” he said. “Then you can run into scenarios where say, in a tank farm, one of the bigger concerns there is you lose control over the level in your tanks and tanks can start to overflow. Then you’ve got gasoline pouring out of tanks, and if that hits an ignition source, fires and explosions could be the result.”
If hackers gained access to valves and storage facilities, they could cause any number of problems, from health to environmental concerns.
In Colonial’s case, where the mainlines were shut off, Cusimano said that the effects will be largely economic.
“It looks like this is most likely going to just be a denial-of-service type event, and they saw no health and safety, environmental (impact), just massive business interruption and financial losses.”
Should we be worried about pipeline security in general?
The risk of infrastructure breaches is an issue that has been on the U.S. national security radar before.
Last February, the Cybersecurity and Infrastructure Security Agency (CISA) responded to a cyberattack affecting the operational technology network of an unnamed natural gas compression facility.
Much like the situation at Colonial, the company reported that it lost availability across its assets. One detail CISA warned about in that case was that the victim of the breach had not set up a strong enough barrier between informational and operational technology, leaving them exposed to the attacker accessing both networks.
Attacks like that one prompted CISA to launch a pipeline cybersecurity initiative this February that comprises thousands of energy companies and over 2.7 millions miles of pipeline infrastructure. One of the points they’re aiming to get across is that as these companies integrate information and operational technology together to drive an automated workplace, they must also modernize their cybersecurity measures.
Padraic O’reilly, the cofounder and chief product officer at the Boston-based security software company Cybersaint said the Colonial incident could be a wake-up call for the pipeline sector and regulators, but that there are still hurdles to overcome.
“Historically, it’s a dance between the regulators, and the governance structures, and then the security teams,” said O’reilly, adding that cybersecurity must evolve with technology that is being updated rapidly. That means private and public sectors needs to work together. “So, what really needs to happen is, public-private partnerships need to drive more investment that isn’t the quarter-to-quarter business model that you often see in infrastructure,” he said.
Cusimano, too, warns that while there are defences in place, the pipeline industry is still quite vulnerable. Multiple co-ordinated attacks could be economically crippling, he said.
“Unfortunately, it’s of course a matter of the will of the attackers,” he said. “If there are other threat actors out there wishing to do the same, there’s nothing between now and next week or next month that’s going to change significantly enough to prevent them from being successful.”