The Rising Threat of Cyber Attacks on U.S. Energy Companies
The recent hack of a Colonial Pipeline fuel transport line has highlighted how energy companies have become a prime, and unfortunately easy, target for this wave of cyber criminals. An IBM report in February found that attacks on the energy sector had doubled from year to year, with cyber criminals targeting organizations that cannot afford downtime of their systems.
America’s Cybersecurity Challenges
The ransomware attack that shut down Colonial’s major fuel pipeline between Texas and New Jersey highlights the fragility of America’s energy infrastructure. After Colonial was hit by a ransomware attack, the company shut its pipeline to prevent hackers from attacking portions of the pipeline itself.
But it’s not just Colonial Pipeline that is at risk. Many oil and gas pipelines rely on antiquated control systems that cannot adequately protect against cyberattacks nor can they be updated easily. Old systems originally kept disconnected from the broader internet to prevent cyberattacks are now being breached because they lack the proper protection.
Today, more energy companies have connected to the broader internet. They use sophisticated monitoring and diagnostics software and connect to the internet of things (IoT) in the forms of smart thermostats, grids, lighting systems, etc. While the new technology helps systems operate more efficiently, the broader connections also create more exploitation points for hackers.
Another challenge facing companies using decades-old control systems is finding programmers who understand these systems. Replacing the entire system is often more than companies want to deal with. It is not only costly but involves shutting down pipelines, power plants, or refineries for an extended period. However, replacing old systems with newer, better-equipped defensive cybersecurity systems may soon become essential.
Once companies decide to upgrade, they face the final challenge of knowing where to invest their time and money. Cybersecurity is not their field of expertise and there is not much available data about the structural weaknesses of energy systems. Expert consulting will become crucial for energy companies to make the right decisions regarding cybersecurity.
Colonial Was Not an Isolated Incident
The attack on the Colonial pipeline may have been the most recent, but it is not the first and will probably not be the last. Last year, the Cybersecurity and Infrastructure Security Agency was shut down for two days due to a ransomware attack on a natural gas compression facility.
In 2018, several natural gas pipeline operators reported attacks on customer transaction processing systems that led to service disruptions. In Ukraine in 2016, a large section of the power grid was knocked down by hackers, the first cyberattack-triggered blackout. When that happened, then-president Obama warned that America’s own infrastructure needed bolstering. But paradigm shifts do not often happen until damage is incurred on home turf.
After several recent prominent cybersecurity breaches, the Biden administration is seeking hundreds of billions to modernize the country’s energy infrastructure. Richard Glock, chairman of the Federal Energy Regulation Commission, has called to establish mandatory cybersecurity standards for the country’s energy infrastructure. “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” he said.
In addition to regulations for cybersecurity standards in the energy sphere, experts also recommend having a strong contingency plan in case of a breach. As comprehensive as cybersecurity can be, most loopholes are not noticed until they’re exploited by hackers. Having a contingency plan in place can help mitigate the damage.