The Recent Colonial Pipeline Attack has proven there is no greater threat to our national security than protecting America’s energy infrastructure. The FBI has identified DarkSide, a Russian ransomware group, for hacking Colonial, one of the largest US fuel pipelines transporting 100 million gallons of fuel daily along the Eastern United States. Darkside stole nearly 100 gigabytes of data over 2 hours from Colonial’s network and extorted about 75 bitcoin–roughly $4.4 million.
The Department of Homeland Security’s Transportation Security Administration (TSA) announced a new Security Directive that requires critical pipeline owners to report cybersecurity attacks to the TSA and to review their current cyber practices and procedures. While this is a step in the right direction, we need to do more to protect America’s most important resource: the free flow of energy.
The recent Colonial Pipeline and SolarWinds cyberattacks have allowed Russian hackers unprecedented access to federal government systems and reveal how vulnerable our nation’s critical infrastructure is. The US currently has no centralized tracking system, no centralized cybersecurity policy, and no process for providing rapid alerts when the problems began. The U.S. needs a centralized and proactive approach to monitor, detect, and prevent cybersecurity attacks.
"Energy companies need to invest in both OT and IT cybersecurity solutions to fully protect against devastating cyberattacks"
It is important to understand that our nation’s energy companies need to protect two main attack surfaces: Information Technology (IT) and Operational Technology (OT) systems. IT systems deal with the flow of information while OT systems manage the physical control of machines and hardware. Fortunately, DarkSide only targeted Colonial Pipeline’s IT systems for ransom. Attackers could have easily gained control of the pumps and valves along the 5,500-mile pipeline causing catastrophic damage. A similar OT system attack happened in Florida earlier this year where a hacker tried to poison the city’s water supply by taking over the water treatment system. Energy companies need to invest in both OT and IT cybersecurity solutions to fully protect against devastating cyberattacks.
The public and private sector both have important roles to play in protecting our nation from the threat of increasingly serious cyberattacks. The Biden Administration needs to direct the Department of Homeland Security (DHS) to create a joint data sharing cloud between private enterprises and Federal, State, and Local governments. Congress needs to better fund DHS’s cybersecurity response task force and enact harsher penalties for cybersecurity offenders and for any private enterprise that conceals or doesn’t report a cybercrime. The Department of Energy should better fund cybersecurity R&D specific to grid and energy infrastructure. State Public Utility Commissions must support aggressive increases in rate case funding for both IT and OT cybersecurity spending.
The private sector has to step up as well. Every private energy, communications, and water utility should do continuous assessments of their attack surface across both IT and OT systems. These companies should require their Chief Information Security Officer (CISO) to report annually to their Boards and Shareholders what they are doing to ensure endpoint cybersecurity protection for their companies and their customers.
In the 20th century, America did a great job of protecting our nation with the world’s most powerful military. In the 21st century, we need to protect the energy, communications, and infrastructure grids that run our country – and America’s energy grid is at the top of the list. No one will feel sorry if the world’s wealthiest and most technically advanced nation overspends on battleships and jets and scrimps on protecting its central energy lifelines.
It’s time to get smart about deploying the necessary cybersecurity protecting our country for the next century.