A recent ransomware attack on the Colonial Pipeline left much of the Eastern U.S. in fear of serious fuel shortages. This attack highlights inconsistencies and weakness within the U.S. IoT cyber security capabilities.
Stay informed. Our Insights Newsletter highlights the latest news and analysis on global strategy, policy and risk. Subscribe to Insights
It seems that Texas’ energy infrastructure simply cannot catch a break this year.
The February winter storm that crippled the Lone Star State’s power grid was rivaled by the virulent cyber attack that crippled the 5,500 mile Colonial Pipeline in early May, which transports fuel from the Gulf Coast to locations throughout the mid-Atlantic and Northeast.
This attack serves as a national security threat from several perspectives, not only does it expose vulnerabilities in our nation’s critical infrastructure (including dams, powerplants, hospitals, airports, and more), but the pipeline also serves as a major artery supplying fuel to U.S. military installations.
While there is no evidence that the ransomware gained access to the critical control systems of the pipeline, in 2020 the Department of Homeland Security’s Cyber security and Infrastructure Agency reported that another pipeline operator had its control systems breached by a ransomware attack, which caused that pipeline to cease operations for two days.
As more sophisticated cyber attacks target critical control systems, many of which are controlled by Internet of Things (IoT) devices, the resulting devastation could be widespread; imagine hackers gain access to the control systems of a major dam in hopes of causing massive flooding in highly populated areas?
While it is difficult to predict when the next cyber attack targeting our nation’s infrastructure will occur, we can be certain that future attacks will have greater intensity.
The question remains, what safeguards can be implemented to prevent these attacks or lessen any fallout, especially given more attack surfaces exist due to exposures created by IoT?
More Exposures Means More Breaches
In March, the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced the development of three new research programs aimed at safeguarding the nation’s infrastructure against physical and cyber threats.
The goals of the programs should be lauded, including initiatives such as the use of advanced analytics to test existing industrial systems’ ability to withstand complex cyber attacks, studying the energy sector’s vulnerabilities to electromagnetic interference, and partnering with U.S. universities to train the next generation of cyber security experts.
This final initiative is very important, especially given the shortfall of cyber talent the world currently faces.
What makes initiatives like CESER so important is that our nation’s energy infrastructure relies on millions of IoT sensors across oil wells, drilling platforms, and the power grid. Examples of these sensors include sensors on the tanks’ cells to monitor when the tank is full, sensors on the pipeline to measure flow, and even sensors to detect when a tree falls on a power line.
These systems are inherently vulnerable for reasons such as the lack of security built into the product, the infrequency with which it is patched, and the complexity of managing a myriad of diverse sensors across a distributed network.
This makes IoT an easy target for hackers who are looking for low-hanging fruit to typically do one, or more, of three things: steal sensitive data, disrupt the flow of information, and/or compromise the integrity of the operations.
The hacker group DarkSide accomplished all three.
The incident highlights the “domino effect” that typically results from a cyber attack; despite the attack being directed towards the IT network, the hackers also compromised operations since Colonial and relevant customers intentionally ceased operations to avoid the risk of the ransomware spreading.
This move ultimately rippled down the supply chain, causing fuel depots and gas stations along the Eastern U.S. to run dry as panicked consumers rushed to fill their gas tanks for fear that fuel would be a scarce commodity in the weeks to come.
Airlines are also feeling the pinch of impending fuel shortages, and this comes at a tenuous moment when the travel industry is still recovering in the aftermath of COVID-19.
Even with Colonial Pipeline’s operations restarting, the long-term repercussions remain to be seen.
While the proliferation of IoT devices magnifies the severity and occurrence of cyber attacks, there are steps that can be taken to manage this emerging risk.
New Attack Methods Mean New Cyber Security Standards
The Department of Defense (DoD) understands the importance of cyber security within its supply chain, and the risks that the vast network of suppliers and vendors represents.
To help strengthen their supply chain, the DoD has implemented new requirements that all contractors must meet known as the Cybersecurity Maturity Model Certification (CMMC) program.
A “CMMC for Infrastructure”, or CMMC-I, must also be implemented because protecting our infrastructure is also a matter of national security.
CMMC-I would be key in preventing future cyber attacks like Colonial Pipeline and take the latest executive order signed by President Biden a step further. The executive order improves cyber posture within the Federal Government and CMMC-I would specifically address infrastructure cyber security improvements.
Initially, safeguards might include fundamentals of cyber security such as properly isolating IT and controls systems, establishing tighter policies on the inbound communications, and protecting the outbound information flow.
Deploying cyber hygiene training across an entire organization is also a critical issue that must be addressed, the vast majority of cyber attacks originate between the “keyboard and the chair” in the form of phishing attacks targeting individual employees and executives.
Detailed cyber incident response plans should be developed and reviewed by the Transportation Security Administration (TSA), given that the TSA is responsible for assessing pipeline security. The TSA should also seek guidance from the aforementioned CESER given its focus on cyber security initiatives.
While cyber insurance is an important aspect of providing financial support to a firm in the wake of an attack, the federal government should revisit the strategy behind California’s Assembly Bill 1054. This bill was designed to assist California power companies cover wildfire liabilities resulting from their equipment failing in the field (downed power lines, for example) via the creation of a “pool of funds” these utilities would fund annually, and tap should a wildfire occur.
This could also be a component of CMMC-I, where the operators of critical infrastructure like dams, pipelines, and power companies must contribute to a pool in order to remain in good standing with federal regulations.
The pool would also absorb some of the burden the insurance industry may face should future cyber attacks impact multiple organizations causing billions in claims. Several lawmakers and industry consultants have called for tighter pipeline regulations, and CMMC-I could be an important step for all U.S. infrastructure, not just pipelines.
Until uniform guidelines like CMMC-I are established, the U.S. has no choice but to respond to future attacks against our infrastructure on a case-by-case basis and hope that the fallout can be contained.