The recent ransomware attack by a Russia-based criminal gang against Colonial Pipeline, a major U.S. transporter of gasoline and other fuels, has served as a wake-up call, alerting both companies and energy regulators of how vulnerable the country’s energy infrastructure is to cyberattacks.
In response to the cyberattack, which caused the shutdown of the pipeline for more than a week last May, the federal government is calling on the nation’s most important pipeline companies to boost their defenses against cybercrime.
On July 20, the Transportation Security Administration issued a security directive calling on the owners of about 100 pipelines, designated to be the most critical to the U.S. economy, “to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems,” according to a TSA statement.
On the same day, TSA issued an alert, based on an investigation by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, on a spear-phishing and intrusion campaign conducted by state-sponsored Chinese criminal actors. Between December 2011 and 2013, the cybercriminals targeted U.S. oil and natural gas pipeline companies. The government identified 23 gas pipeline operators targeted by the intrusion campaign. Of those companies, 13 were confirmed as compromised, three were near misses, and seven had an unknown depth of intrusion, according to the report.
The July security directive is the second such action taken by the TSA calling for pipelines to beef up their cybersecurity following the Colonial Pipeline attack.
In May, the agency had issued a directive calling on the owners of critical pipelines to report cybersecurity incidents to the federal government within 12 hours. The May directive also called on pipeline owners and operators to appoint a cybersecurity coordinator to be available for contact by government officials 24 hours a day, seven days a week.
Heightened level of vigilance
The heightened level of government vigilance comes in the wake of the ransomware attack on Colonial Pipeline, which stretches from Texas to the northeastern U.S. The pipeline shutdown following the attack led to gasoline shortages in multiple states.
The Biden administration reacted quickly to the Colonial Pipeline attack. Shortly after the ransomware attack was announced, President Biden blamed the criminal hacker gang DarkSide, which operates on a “ransomware as a service” model as being behind it. The pipeline reportedly paid a ransom of $4.4 million to retrieve its stolen data in order to be able to resume operations. The Justice Department later reported that it had been able to recover about $2.3 million of the ransom money.
On May 12 the president signed an executive order aimed at countering the growing cyber threats facing the country. Although the order came out after the announcement of the Colonial Pipeline breach, it was based on the administration’s previous work promoting enhanced cybersecurity for the federal government’s own networks.
Biden called the executive order a first step toward “improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”
But, because most critical energy infrastructure assets in the United States are held in private hands, it primarily falls to the owners of infrastructure assets – oil and gas pipelines, refineries, and electric generation plants and transmission lines – to erect their own defenses against cyberattacks.
While the attack against Colonial Pipeline was the most consequential assault of its kind against pipeline infrastructure in the U.S. it was by no means the first. Last October, CISA, the federal agency responsible for monitoring cybercrimes, reported a cyberattack affecting control and communication assets on the operational technology (OT) network of an unnamed natural gas compression facility.
An unknown criminal actor or actors used an emailed spear-phishing link to get into the plant’s information technology (IT) network before pivoting to its OT network, then deployed ransomware to encrypt data on both networks. The compressor station shut down for two days, resulting in a loss of productivity and revenue, CISA said.
Other ransomware attacks have singled out large and small companies, as well as public agencies, including hospitals, municipal government offices and even police departments. In June, meat-processing giant JBS USA Holdings reported paid $11 million in ransom to cybercriminals following a ransomware attack that resulted in the temporary closure of plants that process about one-fifth of the U.S. meat supply
According to Emsisoft, an anti-Malware software firm based in New Zealand, the United State led the world by far in reported incidences of ransomware demand last year, with 23,661, far outpacing second-place Italy with a total of 9,226 demands. The minimum cost of ransomware including ransom payments and downtime was more the $920 million. But, since only about a quarter of ransomware victims report the attacks, the actual U.S. ransomware cost in 2020 was estimated to be closer to $3.68 billion.
Brett Callow, a threat analyst with Emsisoft, said it’s difficult to estimate how many of the ransomware attacks involved U.S.-based energy companies, because that data is not publicly available. However, he said he was not surprised to hear about the attack on Colonial Pipeline
“I was only surprised that something so significant didn’t happen sooner,” he said in an interview. Since ransomware attacks are increasingly taking place at the largest and most sophisticated companies, “all companies everywhere are at risk,” he said.