One year after criminal hackers breached Colonial Pipeline Co., fears of another major cyberattack are rippling across the energy industry.
The May 7, 2021, ransomware attack was the most disruptive in U.S. history. It led to a shutdown of nearly half of the gasoline and jet fuel supply delivered to the East Coast. And it forced U.S. companies and government agencies to look more squarely at the risks that came with doing so little for so long to secure critical infrastructure.
Lines at the gas pumps and concern about energy shortages from the Oval Office to Capitol Hill hammered home the disastrous effect that a strike by hackers with safe haven in Russia could have on the average American.
“The Colonial event was a galvanizing and catalytic event for both industry and government,” said Scott Gorton, executive director of surface policy at the Transportation Security Administration.
The attack on Colonial by a group called DarkSide came after a more widespread cyberespionage campaign with ties to Russia broke into networks across the federal government and corporate America. The sophisticated SolarWinds Corp. hack in early 2020 was historic in scope and a national security threat. Yet it was an abstraction to most Americans.
But Colonial was different.
Soon after Colonial executives closed the 5,500-mile fuel spigot to ensure hackers wouldn’t do greater damage, photos on social media showed people hoarding gasoline.
“What it did was impact the average consumer at the pump,” said Mary Brooks, a resident fellow for cybersecurity and emerging threats at R Street Institute. “We know constituents care about what happens at the pump. Congress cares what happens at the pump.”
In the 12 months since then, after years of kicking the can down the road, the federal government acted. Congress mandated that companies operating infrastructure report to federal authorities when they’re hacked. The Biden administration imposed mandates to secure oil and gas pipelines — including some of the 3 million miles of natural gas pipelines in the United States.
In the immediate aftermath of Colonial, President Joe Biden reached a handshake agreement with Russian President Vladimir Putin to put an end to targeted hacks against U.S. infrastructure.
That fell away quick when Russia invaded Ukraine in February. Fears surfaced again that Putin would target U.S. and European energy companies. Since then, defending U.S. energy infrastructure against the Russian threat has been a constant source of outreach by the Biden administration to energy companies, both publicly and privately.
Experts say there are plenty of industry analogies for what must be done to strengthen energy cybersecurity.
“I equate Colonial Pipeline for cyber what San Bruno was for natural gas integrity,” said Kimberly Denbow, managing director of security and operations at the American Gas Association.
She was referring to a natural gas pipeline explosion in 2010 that destroyed homes in a neighborhood in San Bruno, Calif., outside of San Francisco.
For oil spills, the Exxon Valdez spill in 1989 was a galvanizing event, she noted. The BP Deepwater Horizon oil pipeline collapse in 2010 started a process — however successful — of requiring more from companies drilling in the deep ocean.
“Colonial pipeline was able to say, ‘Hey, we’ve been telling you all about cyber that’s happening in the news, and now it’s directly affecting your pocketbook and your tank,’” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.
Momentum has been building for cyber policy for a couple years. Efforts were amplified by the Colonial hack and likely cemented the eventual passage of the cyber notification bill and a national security memorandum on industrial control system cybersecurity, experts noted.
Colonial was a “clarion call” to companies that might not have viewed hacking as a critical business risk, said Eric Goldstein, executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency.
The Colonial attack quickly led to public pressure around the lack of mandatory cybersecurity regulations for the pipeline sector. And it led to a broader conversation around regulations for critical infrastructure beyond oil and natural gas.
At the time, the pipeline industry was revamping its voluntary cybersecurity measures. After Colonial, pipelines were met with a set of security directives issued by TSA. The new mandates required notification of major breaches within 24 hours and a slew of cybersecurity prescriptions.
The security directives found widespread criticism from industry and cybersecurity experts, who noted the directives didn’t account for just how different industrial systems are from corporate computer networks.
TSA is expected to issue a revised second security directive that addresses some of the issues.
TSA’s Gorton said the agency will replace some of its checklist of security measures with performance or outcome-based measures. The revised mandates will be issued before the second one expires at the end of July.
The pipeline industry says it’s getting a handle on the security threats, but there are issues upon issues involving money. Insurance often doesn’t cover the cost of a cyberattack.
Kinder Morgan Inc., which owns more than 80,000 miles of pipeline infrastructure, said in a recent Securities and Exchange Commission filing that “there is no assurance that adequate cyber sabotage and terrorism insurance will be available at rates we believe are reasonable in the near future.”
“Our insurance program may not cover all operational risks and costs and may not provide sufficient coverage in the event of a claim,” Kinder Morgan reported. “We do not maintain insurance coverage against all potential losses and could suffer losses for uninsurable or uninsured risks or in amounts in excess of existing insurance coverage.”
Energy Transfer LP, another major pipeline operator, warned that costs from a cyberattack “may not be covered by, or may exceed the coverage limits of, any or all of our applicable insurance policies.”
Colonial still faces regulatory scrutiny. On the eve of the anniversary of the ransomware attack, the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration issued a $1 million penalty for Colonial’s “ad-hoc approach” to restarting the pipeline system after the initial shutdown last year.
No internal communication plan, said the regulator, “created the potential for increased risks to the pipeline’s integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts.”
In a statement, Colonial said that their “approach to operating manually gives us the flexibility and structure necessary to ensure continued safe operations as we adapt to unplanned events.”
The digital future
Industrial cybersecurity defenders have warned for years that hackers don’t have to get into the control room to halt operations at an energy company as information technology (IT) are increasingly integrating with operational technology (OT) systems.
“From a lessons learned perspective it did reveal to a lot of companies that they don’t understand the interplay between IT and OT,” said Rob Caldwell, director of industrial control system and OT security at the security firm Mandiant.
Ben Miller, vice president of research and development at Dragos Inc., an industrial cybersecurity firm, said that ransomware is still a major concern because of this interdependency.
The Colonial hack could have been much worse if the malware had gotten into the pipeline’s control room technology. “Ransomware events are impacting OT operations regularly, and that goes unnoticed,” Miller said.
The Colonial hackers used an old remote login to breach the networks, which experts said spoke volumes about the risk of not taking basic security measures.
Danielle Jablanski, a cybersecurity strategist at Nozomi Networks, said there “are several ways to impact or disrupt business continuity. Whether that’s a single point of failure, a supply chain incident or something that is an IT outage that can cripple something on the OT side.”
For the pipeline sector and critical infrastructure at large, experts note, the answer to the question “Are we safer now?” is often simply: it depends.
Colonial increased awareness among C-suite executives. More people at higher levels in organizations are paying attention to cybersecurity. But some companies still struggle with staffing and a lack of resources to adequately defend themselves.
In addition, investments take time, and for oil and natural gas it’s not as simple as downloading a patch or installing a firewall service. Approval through public utility commissions is an important aspect to whether the funds can even be used.
“We have significant investment going on in in cybersecurity in general, but when you look at these specialized environments, such as OT, or some of these sort of ancillary systems that sit on the edges of IT, the investment is lacking,” said Marty Edwards, vice president of operational technology security at cybersecurity firm Tenable.
“In general, I think that we’ve made progress,” he continued, “but at the same time, I also know that we’re not making enough progress fast enough.”
Reporter Mike Lee contributed.