(Americas) Greater Scrutiny of Infrastructure Systems Needed
By Malcolm Ramsay
With operation resumed at the Colonial Pipeline on the U.S. East Coast, the worsst of the threat from the recent cybersecurity intrusion appears over, however the implications for supply chains may be longer lasting.
The giant conduit, stretching from Texas to New York, is the largest pipeline system for refined oil products in the U.S. and has capacity for 3 million barrels of fuel per day. Operated by Colonial Pipeline Co., the system was attacked by hackers who issued a ransom on May 7, leading to the shutdown of the pipeline within hours.
The Colonial Pipeline Co. reportedly paid hackers nearly US$5 million in cryptocurrency to restore operations.
“The Colonial Pipeline incident highlighted energy infrastructure's potential vulnerability to cyber attacks. It is a problem that has been understood for a long time, but having an actual event with real world repercussions tends to focus minds and budgets. I would expect infrastructure operators and cybersecurity providers are all reviewing their cybersecurity measures and protocols,” Jed Bailey, managing director at consultanct Energy Narrative, told Breakbulk.
Critical infrastructure
While the frequency and scale of cyber-attacks has grown rapidly over the last 10 years, there have been few successful hacks of infrastructure targets that have had the same impact as the recent shutdown of the Colonial Pipeline.
“Colonial Pipeline is ultimately the jugular of the U.S. pipeline system. It’s the most significant, successful attack on energy infrastructure we know of in the United States.” said Amy Myers Jaffe, energy analyst and managing director of Climate Policy Lab.
While it appears that the hack did not comprise any of the physical infrastructure of the pipeline, but rather penetrated the company’s administration IT systems, the net result of a shutdown raises significant questions for the future.
“The cyberattack on the Colonial Pipeline systems does not appear to have been a problem with the pipeline infrastructure itself or even its operational technology as the attack focused on the company’s IT system. A change in the way that the U.S. pipeline system operates geographically is not likely. Instead we’re more likely to see new regulations put into place regarding the way that IT and OT infrastructure works for companies operating critical infrastructure,” said Matthew Bey, Stratfor senior global analyst at RANE.
Accelerated Cybersecurity Framework
One of the key outcomes of the Colonial Pipeline attack is likely to be a comprehensive tightening of cybersecurity measures across the oil and gas supply chain. While it was a pipeline that was attacked in this instance, the increasing connectivity of all participants in the energy supply chain makes the need for new defenses to be inclusive.
For breakbulk operators this may well lead to the need to install new technology and train staff to understand and protect against the threat of data intrusions.
“This is one aspect of the arms-race nature of cyber risks: both sides are continually working to uncover vulnerabilities; one to exploit them, the other to remove them. An incident like this, and Colonial's response, provide information to both sides that they can use to adapt their operations,” Bailey added.
Within days of the attack, president Biden signed a new executive order tightening cybersecurity and adding further protection to federal government networks. The order is to improve information-sharing between the government and the private sector on cyber issues and enhance cloud services and zero-trust architecture, mandating greater multifactor authentication and encryption.
“The attack is the third major cyberattack against the U.S. uncovered in the last six months, and the first two led to Biden signing an initial executive order on May 13 to address deficiencies. But the focus of the executive order was on government contractors and vendors, not the private sector. Biden is likely to expand the scope in further action, through new guidelines and rules that CISA [Cyber and Infrastrusture Security Agency] requires or follow on executive orders. The visible impact – and the political consequences of long lines at gas stations – will likely necessitate further action,” Bey said.
Cybersecurity Safety Review Board
Another key outcome will be the launch of a new Cybersecurity Safety Review Board, co-chaired by government and private sector leads, to analyze cyber incidents and shape future strategy. This body will also be supported through a pilot program to create an “energy star” type labeling system to determine identify software that have been developed securely and help assess the vulnerabilities of contractors systems.
Bailey of Energy Narrative notes that regulations in this area are "relatively light," with most governments focused on the risk from other state actors, rather than cyber criminals motivated by economic gain. But this could now change as public interest concerns justifies greater government intervention in key infrastructure projects.
For breakbulk operators supporting these projects the outcome remains uncertain at present, but it seems likely that the direction of travel is towards greater monitoring of digital systems. This could include tighter reporting requirements and related breach notification for breakbulk contractors working on critical infrastructure projects.
“CISA and the federal government, as well as Congress, will likely organize some sort of review of its cybersecurity regulations and rules for critical infrastructure including pipelines as a response. Those reviews will likely result in some reforms being passed, but pipeline projects themselves will likely not be shifted in the way they are managed. More requirements around cybersecurity will likely be the main way that the industry is impacted long-term, as opposed to more structured reforms beyond that,” Bey said.