Cybersecurity experts say that last week’s ransomware attack against Colonial Pipeline, which led to the ongoing shutdown of the network that carries almost half the supply of gasoline, diesel and other fuel products to the U.S. East Coast, provides a graphic reminder of the rapidly evolving landscape of cyber threats against critical infrastructure.
The question now is how quickly policy makers and regulators can incorporate its lessons into their cybersecurity strategies.
“It seems like every couple of weeks now we [hear], ‘It’s a wake-up call to the industry, we’re going to get stuff fixed now,’” Tony Turner, vice president of security solutions at Fortress Information Security, told ERO Insider. “I think people are starting to get a little jaded. You can only hear that the sky is falling so many times. … But on the flip side, the Biden administration [is] currently working on policymaking around … the threat to critical infrastructure. … Obviously I don’t want bad things to happen to people, but the timing on it is somewhat fortuitous.”
Restoration Work Continues
Colonial’s 5,500 miles of pipelines have been shut down since Friday, when the company first discovered the presence in its system of malware that the FBI has since attributed to the cybercrime group DarkSide, believed to be based in Eastern Europe. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.)
Three of Colonial’s four main lines remained offline Tuesday afternoon; one had temporarily reopened under manual control Monday night, but its current status was not mentioned in the company’s latest update. Additional lateral pipelines are also being controlled manually as Colonial pursues an “incremental process” of restoration, with operations expected to be “substantially” restored by the end of the week.
Seventeen states and D.C. are currently under a regional emergency declaration temporarily waiving overtime limits and sleep requirements for drivers transporting fuel. The Environmental Protection Agency also on Tuesday issued a temporary waiver allowing the sale of fuel blends in the affected states that normally would not be allowed under the Clean Air Act.
Cyberthreat Landscape Changing Rapidly
Beyond the immediate federal response, the Colonial incident has prompted renewed calls to address the cybersecurity vulnerabilities in key U.S. infrastructure. FERC Chairman Richard Glick and Commissioner Allison Clements weighed in on Monday with a statement endorsing “mandatory pipeline security standards” modeled on NERC’s Critical Infrastructure Protection (CIP) standards to cover the nation’s 3 million miles of natural gas, oil, and hazardous liquid pipelines.
Cybersecurity experts who spoke to ERO Insider agreed that the CIP standards are “a good start,” but warned that electricity providers must not assume that compliance means that they are fully protected. The Colonial attack shows that even the most critical infrastructure assets remain vulnerable
Peter Kelly-Detwiler, a principal at energy consulting firm NorthBridge Energy Partners, noted several important reminders for utilities from the Colonial incident. The first is that critical infrastructure today operates as “systems of systems” rather than as separate entities. Therefore, even when the electric grid is not directly affected by an incident, utilities may still feel a knock-on effect as vital services are cut off — as in the winter storms of February that impacted supplies of natural gas to generators in Texas and the Midwest. (See ERCOT was ‘Seconds and Minutes’ from Total Collapse.)
Fortress’ Turner echoed that observation, noting that he has heard from several clients in the electric industry worried about the impact of the Colonial shutdown on their fuel supplies.
The second, more serious reminder from last week’s hack is that non-state actors now pose as great a threat to critical infrastructure as those sponsored by nation-states. DarkSide, the suspected perpetrators of the Colonial breach, have no apparent affiliation with any government and claim to be interested only in money, yet they managed to affect the supply of fuel for millions of Americans.
“With state actors, you have mutual assured destruction; you have the capability for reciprocity — you hurt me, I hurt you,” said Kelly-Detwiler. “When it migrates into the field of non-state actors, [be it] ISIS [the Islamic State in Iraq and Syria] or somebody else, there is no reciprocity capability anymore.”
A changing battlefield means that the strategies need to change as well, with a “more formal national security posture” that treats cyberspace as “the new international field of conflict that it is.” Kelly-Detwiler points to the recent announcement that Chris Inglis, an Air Force veteran and member of the Cyberspace Solarium Commission, will be named the White House’s first national cyber director as a sign that the Biden administration is taking cyber threats to the U.S. more seriously than the Trump administration, when former National Security Adviser John Bolton fired the National Security Council’s cyberspace head. (See Biden to Name Morgan Stanley’s Easterly as CISA Head.)
The idea of elevating non-state actors to national security risks on par with foreign powers like Russia or China may spark memories of the period after the Sept. 11 attacks, when the Bush administration announced that states that harbor terrorist organizations would be treated as complicit in their attacks. Kelly-Detwiler cautioned against repeating this approach but said some kind of clarification of the rules of engagement in cyberspace is desperately needed.
“I’m not under any illusion that a conversation in the [United Nations] isn’t going to be met with a certain level of resistance,” Kelly-Detwiler said. “But I think it would at least make sense to articulate, ‘This is our strategy. If you do X, Y, or Z, you can expect this kind of a response.’ Because I think the more clarity there is, the less likelihood there is for a cyber war to move into a shooting war.”
The Role of Regulation
Many utilities require no reminding about the seriousness of the cyber challenge they face, particularly larger operators that deal with hundreds or thousands of attempted intrusions per day. However, strong debates continue about whether the industry as a whole is ready for the onslaught, particularly given the rapid changes in the grid itself from the proliferation of distributed energy resources such as wind and solar plants that rely on remote control by utilities and thus are more vulnerable to cyberattacks than traditional resources.
While the CIP standards are widely considered effective, these remain under development, and experts are concerned that not all utilities understand that the point of preparedness is to anticipate developing threats rather than do the bare minimum for regulatory compliance. There are efforts underway, both at FERC and in Congress, to incentivize investments in cyber security above and beyond the NERC requirements, but ultimately responsibility will rest on the utilities themselves. (See Manchin, Murkowski Reintroduce PROTECT Act.)
“An awful lot can be done in the basic blocking and tackling [that] are not very high-tech solutions — having a good strong password protocol, doing multifactor authentication, updating patches that have been identified as weak points in Windows or in other software,” said Tom Kuster, CEO of Merit Controls, a developer of modeling services and power plant control software for solar plants.
He added that security requires “the tenacity to stay after these things through all devices, all entry points, because you’re only as good as your weakest link, as far as security goes.”