After hoping the Colonial Pipeline hack and ransomware event would be resolved quickly, it became clear the subject wasn’t going away anytime soon.
That’s actually a good thing. On top of the SolarWinds and Microsoft Exchange Server hacks and resulting fiascos, the cyberattack snowball created by adding Colonial Pipeline to the fray is spurring action from various parts of the U.S. government. This pressure may actually result in some sorely needed changes coming in cybersecurity for critical infrastructure.
But first, let’s take a look at more information that’s come to light on the hack itself and Colonial’s actions.
After several days of the shutdown, accompanied by distribution problems and panic buying, Colonial said on May 12 it had restarted its entire pipeline system. The company also paid the attackers a $4.4 million ransom.
The FBI discourages paying ransoms, partly because it doesn’t always result in retrieving all the data, but also because it “emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.” More immediately important, last October the Treasury Department advised companies that paying ransoms in a cyberattack could risk violating Office of Foreign Assets Control regulations, making them liable to sanctions.
Some information that’s emerged since the hack implies Colonial may not have had the best cybersecurity technologies or practices in place. Although not focused on cybersecurity, a technical audit of the company made three years ago found “glaring deficiencies and big problems” in its security practices. Robert F. Smallwood, whose company iMERGE performed the audit, told AP News that Colonial’s information management practices were “atrocious.” Smallwood found “a patchwork of poorly connected and secured systems” so bad that “an eighth-grader could have hacked into that system.”
In the same AP News article, Colonial said it had hired several firms since the iMERGE report for cybersecurity risk assessments, and that it has “active monitoring and overlapping threat-detection systems on its network.” Colonial also said in a statement that it had immediately engaged outside cybersecurity experts after discovering the hack and launched an investigation.
But CEO Joseph Blount told the Wall Street Journal in a May 19 article that “he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.” To anyone familiar with cybersecurity best practices and available technologies, that statement indicates the company likely didn’t have systems that provide sufficient visibility of its assets and networks to determine the extent of the breach, either on premises or as managed services from an external provider. The company hasn’t revealed how hackers got into its network in the first place. It’s quite possible they just don’t know.
Meanwhile, the city of Tulsa, Oklahoma managed to do a much better job at stopping a ransomware attack in late May it said was “like Colonial’s.” Its security systems “identified the attack and shut down the city’s computer system before it was infiltrated,” according to an AP News article, which is what they’re supposed to do. So there’s no indication any data was breached and city officials didn’t feel it necessary to pay attackers, either.
Oil & gas is not like electrical utilities
Several characteristics of the oil & gas industry contribute to events like the Colonial Pipeline hack. Although it’s often lumped together with electrical utilities as the “energy sector,” the petroleum industry differs in several ways affecting cybersecurity. The main ones are its lack of mandatory cybersecurity regulation, and a different set of physical realities that make cybersecurity especially challenging to implement or regulate.
Companies that produce electrical energy are regulated by the Department of Energy, while the Department of the Interior regulates the petroleum industry, including pipelines. The type of regulations can differ: cybersecurity rules for critical infrastructure that operates the power grid come from the North American Electric Reliability Corporation, Damon Small, technical director of security consulting for NCC Group North America, told EE Times. However, “the Department of the Interior’s regulations are concerned not with cybersecurity but with safety, protecting people and the environment from potential hazards such as oil spills,” he said. Small’s company advises critical infrastructure organizations in several sectors, including oil & gas.
That’s not to say the industry lacks up-to-date cybersecurity practices or technologies. “There are cybersecurity standards and best practices for oil & gas that can be very effective,” said Small. “Many of NCC Group’s oil & gas clients have sophisticated security teams within their organizations. But the industry is missing a law that includes compulsory standards, and sanctions for what happens when companies don’t follow regulations.” This results in differences regarding security practices. Small thinks stronger regulations should be, and will be, a result of the Colonial hack.
The fact that oil and gas travel through pipelines makes the situation very different from the electrical energy grid and how the energy can be used. “The oil & gas infrastructure isn’t fragile, it’s robust, but there’s very little redundancy,” said Small. “So for Colonial, there wasn’t a backup for the pipeline or for the business systems that became unavailable after the shutdown.”
Also unlike the electrical grid, fuel comes in different formulations for different regions of the U.S., such as the East Coast, the Midwest and California. “During the week Colonial was down, one problem was what to do with all that gasoline, diesel and jet fuel already going through 5,500 miles of pipeline,” said Small. “The refineries filling that pipe had nowhere to go with their product and started slowing down. The problem cascaded throughout the industry, and it could take several days to get everything back up again. We have never seen an interruption of the delivery of petroleum products caused by a supply chain issue to this scale in this country.”
Feds to the rescue?
On the Monday following the Colonial hack, Richard Glick, chairman of the Federal Energy Regulatory Commission (FERC), and one of its commissioners, Allison Clements, issued a joint statement calling for mandatory pipeline cybersecurity standards similar to the electric industry’s. After mentioning the lack of FERC-like standards for petroleum products, the statement says, “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”
Two days later, President Biden signed the executive order covering cybersecurity that’s been rumored to be in the works for at least two months now. It’s aimed at federal agencies, not private enterprise, but many consider it at least a start in that direction. The order requires all federal agencies to use basic cybersecurity practices such as multi-factor-authentication, requires new security standards for software providers, and creates a pilot program for a rating system indicating whether software and devices connected to the Internet were developed securely. It even addresses mandatory breach reporting by IT and OT service providers that contract with the feds, as we reported it was supposed to.
Meanwhile, the House of Representatives has re-introduced a bipartisan pipeline security bill initiated last year. The Pipeline Security Act would cover natural gas and oil pipelines, clarifying roles and responsibilities of the Transportation Security Agency (TSA) and the Cybersecurity and Infrastructure Agency (CISA) in ensuring their security, giving them more authority, and enhancing TSA oversight. On May 27, the Department of Homeland Security issued a security directive that requires critical pipeline owners and operators “to report confirmed and potential cybersecurity incidents” to CISA and to appoint a cybersecurity coordinator who’s available 24/7. The directive “will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.”
How all this plays out remains to be seen.