Chris Bronk, Associate Professor University of Houston
When I was seven years old, I watched my parents struggle to keep two cars gassed up through even-odd plate rationing and long lines at the pump. Since 1979, mighty have been the changes in the U.S. economy, in many ways for the better. With regard to resiliency, however, we have driven into a ditch. While many details remain unknown, the hacking of Colonial Pipeline, likely by a Russian cybercrime gang which calls itself DarkSide, indicates the poor state of cybersecurity in much of the critical infrastructure in the U.S. Like many other companies, from retailer Target
to IT firm Solarwinds
, Colonial’s management was asleep at the wheel on cybersecurity. The company did what companies do, optimize on profitability rather than imagining what could go wrong.
This incident is not unusual and was not perpetrated by super villains. The group that attacked Colonial is made up of reasonably clever hackers who know how to extract funds, paid in crypto currency, in exchange for unlocking proprietary resources encrypted by ransomware. They are Russians, which means that they may moonlight for the intelligence agencies of their Motherland. They have carved out their piece in a criminal enterprise that is likely bigger than the international narcotics trade and growing rapidly. Ransomware attacks launched by groups like DarkSide hit everything from multinational corporations to neighborhood medical practices. Even when paid, there is no guarantee payment will unlock encrypted systems. DarkSide had been looking for bigger companies to hit, ones able to pay more. This is exactly what brought them to Colonial and likely precipitated what could become the biggest non-weather-related gas crisis since the Carter administration.
Why did this happen? First, I believe that Colonial’s cybersecurity efforts were subpar for the pipeline industry. One security evaluator asserted, “Colonial pipeline likely did not have the awareness needed to protect themselves.” As of Sunday, the chief information officer of the company, Marie Mouchet, stated in her corporate bio that she was, “Building [a] Security and Information Governance Team to address and manage cyber and physical security risks across critical infrastructure of the pipeline ensuring information and data security.” Nearly a decade after Saudi Aramco was likely hacked by Iran and after many actors in the oil and gas sector had seen major disruptions and breaches, the pipeline operator that moves 45% of refined fuels through the East Coast was in the building phase on cybersecurity.
They were getting around to it.
Why was Colonial slow off the mark in getting this done? The reason is simple. Cybersecurity is expensive. It is a cost on the balance sheet and corporate risk managers still view being hacked as “unlikely” or “manageable.” Doing the minimum on cybersecurity was a practical decision for the partners sharing ownership in the company. Leadership was willing to make investments in automating operations, replacing technicians with computing technology. After the infrastructure was automated, the attendant savings were pocketed. Still largely offline, Colonial does not appear able to operate in some form of “manual mode” as the operators of Ukraine’s electricity utilities did after Russian GRU hackers attempted to crash out its power grid in December 2015. Colonial abandoned the idea of manually delivering fuels and providing ticketing for them for an efficient automated solution that touches the computer networks of many suppliers.
Profitability trumped resiliency for Colonial’s owners: Koch Industries, the Quebec Deposit and Investment Fund (which manages public pensions), Shell Pipeline and Australia’s IFM, a private equity firm. Colonial was built by nine oil companies. Only two are involved in its operation today. The rest are investment firms. To borrow from a colleague in the financial business, those firms excel at three things: financial engineering, cutting costs and producing sales pitch slide decks to offload assets. It produces a steady rate of return on the 4.2 million barrels of refined fuels that flow every day from Houston, Texas, to Linden, New Jersey, and several interconnects in between. On Tuesday, the day industry experts expected a begin of return to normal operations, the company’s website, Ms. Mouchet’s bio along with it, went down, not once but twice. Colonial is yet another example of firms avoiding cybersecurity responsibilities and letting the costs be borne by society.
For all that we have heard about risk assessment in cybersecurity, on critical infrastructure we still are still groping in the dark. The 9/11 attacks gave us some indicators on what we might not want terrorists to blow up, but our nation has failed to address the security costs of our computing present, while racing headlong into an artificial intelligence future. Since the 1980s, American business has leveraged computing to automate all sorts of jobs previously done by people. What we are dealing with now is what happens when computer systems fail. Those who think we can continue to remove the human component from the operation of our critical infrastructure are wrong. Efficiency is not all that our society must value. Resilience matters too.
Chris Bronk is an associate professor at the University of Houston and directs the graduate cybersecurity program.
UH Energy is the University of Houston’s hub for energy education, research and technology incubation, working to shape the energy future and forge new business approaches in the energy industry.