The cyberattack on Colonial Pipeline illustrates how difficult it will be for electric utilities to protect their grids from disruption, experts say, even when attacks are primarily targeting information technology (IT) systems.
The Colonial ransomware attack never migrated into the pipeline's operational technology (OT) environment, and the company says the shutdown was a proactive safety measure. That's good protocol, security experts say, though it simultaneously exposes a vulnerability:
"If you have an attack on the IT network, the OT network is going to go down," according to electric utility sector security consultant Tom Alrich.
An attack on one ...
Colonial transports gasoline, jet fuel and other refined products, but experts say a similar attack on a natural gas pipeline could have impacted combined cycle generation facilities. Federal power regulators are now calling for new pipeline security requirements.
The Colonial attack did not directly affect the electric sector, but that is beside the point, security experts say. U.S. critical infrastructure is under attack, with Colonial now sitting alongside SolarWinds and the Oldsmar, Florida, water facility hack as examples of the country's lagging security.
"Every electric utility, pipeline operator, power plant, or anything else related to the energy sector should view this [as an] attack on themselves," said Jerry Ray, chief operations officer at cybersecurity company SecureAge. "There's nothing that Colonial did or didn't do with its cybersecurity defenses that would significantly differ from that of any other major company within the industry."
"You can't have a ransomware attack on your IT network and not have it affect the OT network unless it's like one machine," Alrich said. "In theory," Colonial could have shut down the IT network and left its OT operating, "but in practice that's a very bad idea," he said.
OT networks often need some information from the IT side, so there can be operational impacts [of an IT attack], Alrich said. While the risk of malware migrating from IT to OT may be minimal, if it were to happen, the effects could be devastating.
The group acknowledged the disruption in a statement, but it said its attack was financially motivated and not designed to halt the pipeline's operation.
"Our goal is to make money and not creating problems for society," DarkSide said in a statement. "From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."
Experts say the economics of ransomware — cheap to deploy, and potentially very lucrative — means the problem will grow.
"This is not the first ransomware cyberattack on an oil and gas utility — and it won't be the last — but it is the most serious. It is also potentially one of the most successful cyberattacks against US critical national infrastructure," David Bicknell, principal analyst at GlobalData's Thematic Research, said in a statement.
FERC head calls for new pipeline security requirements
The Colonial attack led the head of the Federal Energy Regulatory Commission to call for consideration of pipeline cybersecurity standards similar to the North American Electric Reliability Corp.'s Critical Infrastructure Protection standards.
“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector," FERC Chair Richard Glick said in a statement. Glick was joined by Commissioner Allison Clements in the call for stricter requirements.
"Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors," the regulators said.
The Colonial attack has revealed a "gap" in critical infrastructure security, said Yury Dvorkin, assistant professor of electrical and computer engineering at the New York University Tandon School of Engineering.
"While cyber intrusions can be identified in a timely fashion, that is before these exploits are operationalized to damage infrastructure, there is still a gap in cyber defense capabilities that would avoid the need of shutting down the entire infrastructure," Dvorkin said in an email.
Energy systems need tools to analyze, localize and isolate cyber threats "before they propagate and affect large portions of the infrastructure, thus increasing the likelihood of complete shut downs," he said, pointing to artificial intelligence and machine learning as a possible solution.
The Edison Electric Institute, which represents investor-owned utilities, is keeping an eye on how the Colonial hack could impart lessons to the electric power sector.
"As this investigation unfolds, it will be important to understand how control systems were impacted — if at all — and what mitigation was effective," Scott Aaronson, EEI's vice president for security and preparedness, said in a statement.
Attack should be a 'wake-up call for the electric side'
The proactive shutdown of the Colonial pipeline is a feature, not a bug, experts say.
"Assuming they are able to isolate the attack and bring the control systems back online within a few days, this will be a shining example of a company's ability to respond to and mitigate an attack," Nick Cappi, cyber vice president of portfolio strategy and enablement at Hexagon, said in an email.
However, higher fuel prices, shortages and rationing could result if Colonial is not back online soon, Cappi said.
The company issued a statement saying it is working to return to service "in a phased approach" with "the goal of substantially restoring operational service by the end of the week." The company expects each market it serves will recieve product by midday Thursday.
Security firms recommend multifactor authentication, tested incident response plans and off-site system backups to avoid similar ransomware attacks in the future.
"I would hope that the gas pipeline hack is a wake-up call for the electric side of the power industry. Imagine a similar attack on the power grid in the dead of summer," Rick Tracy, chief security officer and product manager at cybersecurity firm Telos Corp., said in an email. "How many heat-related deaths might occur in the hottest parts of the country? Let's not wait to find out."