Energy officials and cybersecurity experts have long warned that America’s energy infrastructure is susceptible to cyber attacks. In 2018, Karen Evans, then the assistant secretary for cybersecurity for the Department of Energy, testified before a House committee that energy infrastructure — pipelines, transformers, and other critical conduits for fuel and power — “has become a primary target for hostile cyber actors.”
Last week, a ransomware attack on the company behind the U.S.’s biggest fossil fuel pipeline emphatically proved her point.
On Friday afternoon, hackers stole enough corporate data from Colonial Pipeline to force the company to shut down its 5,500-mile system of pipelines, which transport some 2.5 million barrels of gas, diesel, heating oil, and jet fuel each day from Houston to New Jersey. The system serves 50 million Americans and several airports along its route, ultimately providing the East Coast with nearly half of its fuel.
Cybercriminals used ransomware, code that can lock computer systems and hold them hostage in exchange for money, in the attack. The company has not publicly offered up any details about how the hackers broke in. The Department of Homeland Security is investigating the source of the incident, but federal officials reportedly suspect DarkSide, an Eastern European criminal gang that operates out of Russia, is behind the attack. In a statement on Monday, the group said, “Our goal is to make money, and not creating problems for society.”
Shutting down the largest pipeline in the U.S. could potentially create a pretty big problem for society. Gas prices haven’t been meaningfully affected yet, and Colonial expects service to resume by the end of this week. But if the shutdown extends past next Monday, gas prices could rise and Gulf Coast refineries could be forced to slow production. Some gas stations in the Southeast could run out of gasoline. Plus, the U.S. is entering peak driving season. “Every hour counts at this point as we get closer and closer to Memorial Day weekend,” a director at an investment banking firm told the Wall Street Journal on Monday.
The U.S. is ill-equipped to handle cyberattacks on its energy infrastructure, much of which is past retirement age. In March, President Joe Biden unveiled a $2 trillion infrastructure plan aimed at updating the nation’s bridges, roads, tunnels, pipelines, and spurring the transition to renewable energy. His plan does not mention cybersecurity. That’s a big problem. Renewables are prone to cyber attacks, too. Wind and solar farms and energy storage systems rely on industrial control systems — big computing centers that connect equipment like turbines to electrical substations. We already know those computers are vulnerable to attacks. In 2013, a group of hackers was able to seize control of the industrial control systems running a number of renewable energy operators in Europe.
The Colonial Pipeline attack, shaping up to be the biggest cyberattack on U.S. oil infrastructure in history, has turned up the heat on ongoing efforts to modernize America’s cyber defense systems. Biden is preparing to unveil an executive order aimed at creating a set of digital safety standards for federal agencies. It would also establish a “cybersecurity incident review board” that would investigate major attacks. But the order, by federal officials’ own admission, won’t do enough to stop sophisticated attacks. And it may not apply to privately held companies like Colonial Pipeline, even though privately held companies control 85 percent of the country’s critical infrastructure. U.S. Secretary of Commerce Gina Raimondo told CBS’s Face the Nation that businesses need to prepare for a new normal. “Unfortunately, these sorts of attacks are becoming more frequent. They’re here to stay,” she said.