For decades, the US has been aware of the vulnerabilities within its energy infrastructure, yet no contingency plans seem to have been put in place. Now, after an (oddly easily executed) hack on one of the country’s major fuel lines cut the flow of oil leaving southern America reeling, we hate to say (everyone) told you so.
The Colonial Pipeline hack set off a multi-state scramble for gasoline, jet fuel, diesel and other petroleum products. But, in a move that is being viewed as one of the most significant attacks on critical national infrastructure in history, how did the hackers actually cause so much chaos?
When we think of the oil industry, we generally think dirty, or I do anyway. Greasy pipes, blokes in hi-vis, that sort of thing. But the oil industry is in fact incredibly digitised. Pressure sensors, thermostats, valves and pumps are all controlled via computer, to monitor the flow of fuel across hundreds of miles of piping. The Colonial even has what they call a high-tech ‘smart-pig’ (pipeline inspection gauge) robot, roaming the pipes checking for any problems.
Unfortunately, Mr S Pig couldn’t have picked up on this one. If something is operated via a computer, the chances are, it’s going to be connected to a central network somewhere. If that somewhere happens to be an organisation’s internal network and that gets hit with a cyber-attack, well, in the case of Colonial, that also leaves the pipeline wide open to malicious attack.
According to cyber expert Jon Niccolls of Checkpoint, direct attacks on operational technology such as this are ‘rare’ because these systems are ‘usually better protected’. Hear that America? Better. Protected.
Niccolls says it’s most likely the hackers gained access to the Colonial computer system via the administrative side of the business.
“Some of the biggest attacks we’ve seen all started with an email,” says Niccolls. “An employee may have been tricked into downloading some malware, for example. We’ve also seen recent examples of hackers getting in using weaknesses or compromise of a third-party software. Hackers will use any chance they get to gain a foothold in a network.”
And to add insult to injury, as is the case with most cyber-attacks, the Russian hacker group responsible, Darkside (a bit cliché guys but hey), will undoubtedly have been milling about undetected in this network for weeks, maybe even months before launching its ransomware attack.
Independent oil market analyst Gaurav Sharma told the BBC that a lot of fuel was now ‘stranded’ at refineries in Texas and, “Unless they sort it out by Tuesday, they’re in big trouble.” Well, it’s now Friday. So, I guess big trouble it is?
And in a report I came across on Wednesday, more than 1,000 gas stations across southern America were either already out of gas or were close to running out, with the governors of Florida, Virginia and Georgia all having declared states of emergency as fuel supplies run dry for millions of Americans.
And what do people do when things start to run low? They panic buy. Lest we forget the pasta and toilet roll fiasco of 2020.
Of course, when news of a ransomware attack on a national asset such as an oil pipeline makes the rounds, the first conclusion is often that this was the result of a nation-state attack.
But, President Putin has already denied all involvement, and what’s worse, the hacker group involved didn’t even mean to cause so much chaos, releasing a statement online saying their only goal was to ‘make money’ and that they were ‘apolitical’.
But, luckily, and I use the term loosely, this was a fuel hack. But as recently as February, another hacker gained access to the water system of Florida city and tried pumping in a “dangerous” amount of a chemical. In this particular case, a keen-eyed worker saw it happening on his screen and stopped the attack in its tracks. Now that is the real definition of lucky. But, what if he hadn’t?
But if potentially poisoning the water supply wasn’t enough of an incentive for some action, and despite the warning signs having been blinking on seemingly ignored for years now, perhaps price hikes at the pump will be the catalyst the US needs to better protect its critical infrastructure, and its citizens. Sigh.
This editorial originally appeared in the Data Centre Review Newsletter May 14, 2021. To ensure you receive these editorials direct to your inbox, you can subscribe to our weekly newsletter here.