Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

U.S. Pipeline Shutdown Exposes Cyber Threat to Energy Sector

Monday, May 10, 2021

Categories: ASCF News Cyber Security

Comments: 0

im-336046

The ransomware attack that forced the closure of the largest U.S. fuel pipeline this weekend showed how cybercriminals pose a far-reaching threat to the aging, vulnerable infrastructure that keeps the nation’s energy moving.

Colonial Pipeline Co. closed its entire 5,500-mile conduit carrying gasoline and other fuels from the Gulf Coast to the New York metro area Friday as it moved to contain an assault that involved ransomware, code that holds computer systems hostage. So far, no evidence has emerged that the attackers penetrated the vital control systems that run the pipeline, according to people familiar with the matter.

But the consequences of an infection spreading to that deeper layer are dire for any energy company. Many machines that control pipelines, refineries and power plants are well past their prime, have few protections against sophisticated attacks and could be manipulated to muck with equipment or cause damage, cybersecurity experts say.

Last year, a ransomware attack moved from a natural-gas company’s networks into the control systems at a compression facility, halting operations for two days, according to a Department of Homeland Security alert. The company, which Homeland Security didn’t name, didn’t have a plan to respond to a cyberattack, the agency said.

The Colonial ransomware attack is a high-profile example of the online assaults that U.S. companies, schools, hospitals and other organizations now face regularly. It should also serve as a wake-up call for the energy industry’s particular exposure, according to consultants and others who work with companies to shore up cybersecurity.

U.S. and industry officials have known for years about such problems surrounding the nation’s energy infrastructure. A cybersecurity unit of Homeland Security said in 2016 it had worked to identify and mitigate 186 vulnerabilities throughout the energy sector, the most of any critical-infrastructure industry that year. In 2018, federal officials warned that hackers working for Russia had infiltrated the control rooms of U.S. electric utilities.

The energy industry is a big target. The U.S. has roughly 2.5 million miles of pipelines. Across that vast network are hundreds of thousands of devices—sensors that take myriad readings, valves that help control flow and pressure within a pipeline and leak detection systems—and all are vulnerable to attack, security experts said.

Refineries have even more valves and sensors than big pipelines, and there are about 135 of those across the country. That doesn’t include electric utilities and all the components of the sprawling power grid.

Colonial ferries 100 million gallons a day of gasoline, diesel and other refined petroleum products from the country’s chief refining corridor along the Gulf Coast to Linden, N.J. It transports roughly 45% of the fuel consumed on the East Coast, according to the company’s website.

Curtis Smith, a spokesman for Royal Dutch Shell PLC, one the owners of the Colonial Pipeline, said Sunday it is still too early to “be specific about potential impacts to product flow.” He said Shell is actively engaged with Colonial.

The trade group American Petroleum Institute said it was closely monitoring the pipeline situation and that cybersecurity is a top priority for the energy industry.

API members are engaged continuously with the Transportation Security Administration, Cybersecurity and Infrastructure Security Agency and the Energy Department to “mitigate risk and fully understand the evolving threat landscape,” said Suzanne Lemieux, API’s manager of operations security and emergency response policy.

The type of attack that occurred against Colonial Pipeline is becoming more frequent and is something that businesses need to be concerned with, Commerce Secretary Gina Raimondo said Sunday.

The attacks are “here to stay and we have to work in partnership with businesses to secure networks, to defend ourselves against these attacks,” she said on CBS’s “Face the Nation.” Specific to the Colonial attack, “it’s an all-hands-on-deck effort right now.”

In response to the Colonial Pipeline shutdown, the Transportation Department’s Federal Motor Carrier Safety Administration said Sunday that it has issued a temporary hours of service exemption for trucks transporting gasoline and other refined products across 17 states, including Georgia, South Carolina, North Carolina and Tennessee. The move would allow flexibility for truckers delivering fuel, White House press secretary Jen Psaki said in a tweet.

On Sunday, Colonial didn’t provide a timeline for bringing the pipeline back into service but said that while its main lines remained offline, some smaller lateral lines between terminals and delivery points were once again operational. It said it was working to restore IT systems and developing a plan to start the pipeline back up when it had approval from federal regulators.

As markets opened Sunday evening, gasoline futures were up about 1.6% at $2.16 a gallon, after briefly rising more than 3% higher.

Analysts said a closure of the pipeline for a few days shouldn’t have dramatic market impacts, because inventories of gasoline have been readied for the summer driving season and usually get replenished every five to six days. But if the pipeline remains offline for five days or longer, shortages could begin to affect retail stations and consumers along the East Coast, they said.

According to a report by an International Business Machine Corp. unit, energy companies in 2020 sustained the third-most attacks of any industry, up from ninth the previous year, as cybercriminals ramped up assaults on firms with software connected to operational control systems.

The industry is ill-prepared for such attacks, security experts said. Some operational technologies—for physical systems like pipelines and the electric grid—have protocols that predate those for the internet, said Padraic O’Reilly, co-founder and chief product officer of Boston-based CyberSaint Security, who works with pipelines and critical infrastructure on cybersecurity.

“There are just as many [operational technology] vulnerabilities as there are IT vulnerabilities, but they’re scarier in a way because they can go cyber to physical,” Mr. O’Reilly said, noting the energy sector has the most physical infrastructure of any industry that his company works with.

These weak spots have been known for years, but most energy companies have only recently begun to implement defenses, such as firewalls, to protect control systems, said Raymond Sevier, a technical solutions architect with Cisco Systems Inc., who focuses on industrial systems.

The control systems were considered safe for years because they weren’t connected to the internet, but hackers have found ways to penetrate them through unsecured remote access and networked systems. Many companies have older, vulnerable Windows platforms still embedded within energy facilities, and efforts to implement cybersecurity measures rarely move beyond the pilot-program stage, Mr. Sevier said.

Because many industrial facilities run around the clock, it isn’t easy to take down plants to patch outdated systems, keeping older machines in place and providing “the perfect path for cyber pathogens” once they are connected to company networks, said Grant Geyer, chief product officer of Claroty Ltd., a cybersecurity company that specializes in critical infrastructure environments.

Energy companies and other firms that operate infrastructure have invested heavily in recent decades to automate their processes and reduce costs, said Mark Montgomery, former executive director of the Cyberspace Solarium Commission, a bipartisan policy group formed by Congress.

“It’s not matched by a similar investment in cybersecurity,” Mr. Montgomery said. “It’s creating a lot of risk and vulnerability that, obviously, criminals can exploit.”

Two people briefed on the Colonial Pipeline probe said the attack appeared to be limited to information systems and had not infiltrated control systems. U.S. cybersecurity firm FireEye Inc. was investigating the attack, according to people familiar with the matter.

It is unclear how long it could take to bring the Colonial Pipeline back into service, said Robert M. Lee, founder of the industrial cybersecurity firm Dragos Inc.

IT security incidents can typically take days to resolve, while an attack on control systems can take weeks, given the average age and complexity of those technologies and their proximity to core operations, Mr. Lee said.

Many companies, Mr. Lee said, have underinvested in operational technology security, and U.S. officials have largely pushed firms to focus on measures to prevent attacks. That approach has left gaps in some businesses’ ability to detect and respond to successful hacks, he said.

“Everything we’ve told our asset owners has been focused on preventive [security],” he said. “We need to shift that and focus on the whole approach.”

Photo: The Colonial pipeline transports roughly 45% of the gasoline and other fuels consumed on the U.S. East Coast.
PHOTO: JIM LO SCALZO/EPA/SHUTTERSTOCK

Link: https://www.wsj.com/articles/u-s-pipeline-shutdown-exposes-cyber-threat-to-energy-sector-11620574464?mod=hp_lead_pos4

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search