The cybersecurity attack on the Colonial Pipeline in early May caused major disruptions across the eastern United States, but experts warn similar attacks could occur in the future as much of the nation’s energy infrastructure remains vulnerable.
Multiple states and Washington, D.C. experienced widespread gas shortages after hackers targeted the Colonial Pipeline, which transports more than 100 million gallons of gasoline daily. The shortages led several governors to declare states of emergency and motorists formed long lines at the few remaining stations with gas.
The FBI confirmed that hackers associated with the group DarkSide deployed ransomware against the pipeline company’s business systems. The pipeline network shut down out of concern the malware that infected its back-office functions could spread to the pipeline’s operating system or make it difficult to charge suppliers for fuel transported along the pipeline.
Energy Secretary Jennifer Granholm announced May 12 that the Colonial Pipeline was planning to resume operations after initially shutting down the week before. It was later reported that the company paid a $5 million ransom “in untraceable cryptocurrency within hours after the attack.” (RELATED: Colonial Pipeline Hacker Group Will Reportedly Shut Down Its Operations)
Colonial Pipeline systems have since returned to normal, but the attack demonstrated an urgent need to address existing cybersecurity challenges facing the nation’s energy infrastructure, according to the Government Accountability Office (GAO).
A confidential report from the Energy and Homeland Security Departments found that the nation could only afford three to five more days with the pipeline shutdown before experiencing major disruptions to mass transit, chemical factories and refinery operations, The New York Times (NYT) reported.
“This attack has exposed just how poor our resilience is,” Cyber Readiness Institute managing director Kiersten E. Todt told the NYT. “We are overthinking the threat, when we’re still not doing the bare basics to secure our critical infrastructure.”
Emory University information systems professor Ramnath Chellappa told NPR-WABE that a major concern about the pipeline hack is that copycat online hackers could use similar tools in future attacks. He noted that many of the techniques hackers use are shared on the dark web and in online forums.
“A lot of these high-profile hackers can actually put out the software, the techniques and the mechanisms that they used, in some of these hacking forums and groups,” Chellappa said. “There could be others who may not be necessarily as sophisticated as the original ones, but they may also be able to implement those techniques.”
The reported ransom payment has also faced scrutiny from some cybersecurity experts, who told USA Today that ransom may incentivize hackers to launch even more malware attacks on critical targets. Former cybersecurity official Christopher Krebs testified two days before the attack that hackers “have been allowed to run amok” because their crimes are so lucrative.
“The time has absolutely come for governments to consider prohibiting ransom payments,” suggested Emsisoft threat analyst Brett Callow. “If the payments stop, the attacks will stop.”
“I personally believe that part of the reason there is a thriving market and ecosystem for ransomware is that people are paying,” agreed former Obama administration cybersecurity coordinator Michael Daniel. “Now, it’s a national security and safety threat. And the Colonial Pipeline example makes that abundantly clear.” (RELATED: Biden Says They Don’t Believe Russian Government Was Involved In Colonial Pipeline Hack)
The U.S. government has warned about threats and attacks on energy infrastructure for years. A Congressional Research Office report in 2017 stated that power grids and pipelines are especially vulnerable, and “cyber threats to the computer systems that operate this critical infrastructure are an increasing concern.”
One suggestion experts said could protect energy infrastructure from future attacks is for the U.S. government to consider minimum cybersecurity safety standards on those companies, which are currently in place only for the nuclear energy industry, according to USA Today.
Companies are not required to adhere to certain standards protecting from intrusions nor are they required to to maintain secure backups of their data and systems. Federal agencies instead offer guidelines and recommendations urging industries to voluntarily take such precautions against cyberattacks.
GAO has made more than 3,300 recommendations since 2010 aimed at addressing cybersecurity shortcomings in the public and private sector. But around 750 of those have not been implemented as of December 2020.
But the Colonial Pipeline attack has drawn significant attention from the federal government, and spurred President Joe Biden to sign an executive order last Wednesday aiming to protect the nation against “increasingly sophisticated” cyberattacks.