A crippling ransomware attack on one of the largest fuel distribution networks in the US has brought into sharp focus the cyber threats facing infrastructure of national importance
In 2020, the Cybersecurity and Infrastructure Security Agency alerted the US to the risk of a devastating cyber attack on a crucial system of national importance. On 7 May this year, the UK’s National Cyber Security Centre (NCSC) issued a stark warning along similar lines. By coincidence, it was the same day that hackers would cripple one of the largest fuel distribution networks in North America.
The taking of the Colonial Pipeline brought the authorities’ worst fears to life. The ransomware attack disabled the 5,500-mile network, causing fuel shortages in the south-eastern states of the US and prompting the Biden administration to declare a state of emergency. Although the Colonial Pipeline Company’s CEO, Joseph Blount, controversially paid the $4.4m (£3.2m) ransom, the network was out of action for a week.
Transparency and trust are key to having robust and executable action plans. Everyone has a role to play in security
This case was “not shocking” to Sarah Lyons, the NCSC’s deputy director for economy and society. There had been warnings aplenty. Only three months previously, for instance, a hacker unsuccessfully attempted to poison the water supply of Oldsmar, a city in Florida.
“The pandemic has exacerbated cyber attacks targeting organisations, including providers of critical national infrastructure, which will always be an attractive target,” she says. “The Colonial Pipeline incident confirmed our belief that any such attack could have wide-ranging societal ramifications. It also gave us a glimpse at the kind of attack with a physical impact that could materialise in future if connected places providing critical public services are compromised.”
Fatal warning: potential cyber-physical attacks
The way that critical national infrastructure has evolved to use interconnected digital networks makes it far more vulnerable than it used to be, according to Lyons, who believes that the risks could be even greater when 5G is more widely adopted.
“Regulated industries such as telecoms and energy are being connected to unregulated services and suppliers,” she explains. “These industries, which we all rely on daily, are an attractive target for a range of threat actors, unfortunately. A successful attack could cause significant disruptions to key public services and compromise citizens’ sensitive data.”
Lyons urges operators to “recognise that it’s vital that we ensure these networks are resilient to cyber attacks. In a worst-case scenario, a successful one could endanger people.”
George Patsis, CEO of Obrela Security Industries, agrees, warning that “the sky is the limit” when it comes to the extent of the damage that cyber attacks on critical infrastructure could wreak. “These have the potential to be cyber physical, putting many people’s lives at risk,” he says.
Patsis uses the London Underground as an example. “Computers control the timing of when trains arrive at junctions. If someone were to infiltrate the network and alter their synchronisation by only a few seconds, it could cause multiple fatal crashes,” he says.
Most worrying is a lack of robustness in operational technology (OT) security, which Gartner defines as “practices and technologies used to protect people, assets, and information; monitor and/or control physical devices, processes and events; and initiate state changes to enterprise OT systems.”
Patsis says: “As OT increasingly becomes internet-enabled, it creates new attack avenues. There is now a big focus on securing OT in the same way we do the IT estate.”
While he notes that the Colonial Pipeline affair has been a “huge driver” for improving OT security, Patsis stresses that there is much work to do in this area.
Unique challenge: securing operational technology
Theresa Lanowitz, head of evangelism at AT&T Cybersecurity, takes much the same view. “With the convergence of IT and OT systems, there has been an exponential growth in internet-of-things devices that has heightened concerns about the digital security of these systems,” she says.
Lanowitz calls for a “mindset shift” in securing OT assets. “Legacy infrastructure has been in place for decades and is now being combined as part of the convergence of IT and OT,” she says. “This can be challenging for organisations that previously used separate security tools for each environment and now require holistic asset visibility to prevent blind spots. Attacks are coming from all sides and are creeping across from IT to OT and vice versa. Organisations should adopt a risk-based approach that recognises that there is no perfect security solution.”
She continues: “Enterprises that strategically balance security, scalability, access, usability and cost can ultimately provide the best long-term protection against an evolving adversary.”
Has the Colonial Pipeline attack encouraged infrastructure providers to take more effective defensive measures? “Frankly, not enough,” argues Rob Carew, chief product officer at Arcadis Gen, the digital arm of Arcadis, a Dutch engineering consultancy. “There is still a disconnect between cybersecurity and critical infrastructure.”
He suggests that cybersecurity is widely seen in the sector as an “add-on”, rather than intrinsic, when it comes to monitoring the health of critical infrastructure.
“The problem is compounded by ageing hardware and software technology, which can often be exploited through unforeseen vulnerabilities,” Carew says. “Transparency and trust are key in having robust and executable action plans. Everyone has a role to play in security. If it becomes a regular topic of conversations among asset owners, operators, managers, maintainers and the supply chain, it will become part of the organisation’s DNA.”
Actions, though, speak louder than words. While the Colonial Pipeline incident may have set alarm bells ringing, there is still – months later – high panic across the infrastructure network, with the cybercriminals seemingly better equipped to expose vulnerabilities and gain financially from doing so.
This article first appeared in Raconteur’s Future of Infrastructure report in September 2021