When a ransomware attack targeted Colonial Pipeline, one of the largest fuel distributors in the U.S., the company was forced to temporarily shut down operations, freezing the supply of gasoline and diesel fuel to more than seventeen states in the southeast and northeast of the county. This event was one of the highest-profile cyberattacks in recent years, prompting a rush of panic buying among drivers and sending gasoline futures to their highest levels in a half-decade.
Though numerous media commentators opined that the incident was shocking (others were appalled by Colonial Pipeline’s track record of significant safety violations or its CEO’s decision to pay the cybercriminals the $4.4 million ransom they demanded), we at BTB Security weren’t surprised by the events that took place.
After all, critical infrastructure assets are a highly attractive target for nation-state threat actors and other cybercriminals seeking to maximize the amount of attention they can attract and the extent of the damage they can do. They’re also potentially lucrative for ransomware operators looking for victims in industries where uptime is extremely important. And they’re often running outdated or inherently insecure operational technology (OT) systems, especially since OT often lags as much as a decade behind IT when it comes to cybersecurity maturity.
The worrisome reality is that the Colonial Pipeline attack may well be a harbinger of things to come. Similar attacks have taken place in the past, including a string of 2018 cyberattacks targeting the customer-facing communication systems of four natural gas pipeline operators in the U.S. As long as critical infrastructure remains essential to national security, it’ll continue to attract attention from the most sophisticated (and well-resourced) cybercriminals in the world.
The U.S. Power Grid Remains a Target
Electric vehicle owners may have been relieved that the Colonial Pipeline attack didn’t impact them, but the electric grid is also a prime target for cybercriminals. Ever since malicious actors took control of distribution systems in more than 30 power substations near the city of Kiev in the Ukraine during December of 2015, utility companies and government officials have wondered if the same thing could happen in the United States. And, in fact, in March of 2019, attackers did leverage firewall vulnerabilities to create “blind spots” in the western U.S. power grid, disrupting operators’ visibility into the infrastructure. Though this attack, which has been attributed to Russian hacker groups, did not interrupt the actual flow of electricity, its success remains an unsettling reminder of the weaknesses in the power grid.
Water Treatment Plants at Risk
It’s not only the power grid and oil and gas pipelines that are being targeted by attackers. In February of 2021, a hacker made use of an improperly configured remote engineering access system at a Florida water treatment facility to adjust the amount of sodium hydroxide in the water supply to potentially lethal levels. Fortunately, a vigilant on-site employee noticed the in-progress attack and reversed the changes before the toxic chemicals were released. A year earlier, in a similar attack, criminals had attempted to poison the drinking water in the San Francisco Bay area.
“Smarter” Grids and Systems Amplify Vulnerabilities
Although incorporating artificial intelligence (AI) into the management of the electrical grid will undoubtedly improve efficiency and may contribute to sustainability as more electricity comes from renewable sources, it may also make the power grid increasingly vulnerable in the future if smart grids aren’t adequately protected against cyber threats. The same thing is true of oil and gas pipelines: as these systems increasingly rely on smart sensors for flow monitoring and predictive maintenance, operators stand to reap many benefits, but increasingly digitized and interconnected energy systems will require greater vigilance to reduce the risk of cyberattacks.
In the past, many critical infrastructure industrial control systems (ICS) were protected through what was known as “air-gapping” — physically isolating their controls from other networks and the public internet. In today’s world, air-gapping is an increasingly unfeasible strategy, and critical infrastructure operators must instead follow best practices that have long been in widespread use in industry-leading IT security programs.
The majority of the recent high-profile attacks on critical infrastructure assets could have been prevented if the full complement of defense-in-depth strategies recommended by the Cybersecurity & Infrastructure Security Agency (CISA) were implemented. Many could have been headed off with only the basics outlined by the National Institute for Standards and Technology (NIST).
It’s absolutely essential that energy companies and utility operators implement multi-factor authentication (MFA) for all internet-facing systems, educate employees on cybersecurity best practices and strong password use, conduct regular penetration testing and vulnerability scanning, and implement security monitoring and robust incident response procedures. But this is just the beginning: ultimately, in accordance with the latest requirements issued by the Department of Homeland Security, they’ll need to adopt a Zero Trust approach across all their systems and networks.
Want to learn more about Zero Trust? Check out our recent blog article on the topic, or schedule a free consultation with a member of our expert team to discover how it’s relevant for your business today.