Tanker trucks are parked near the entrance of Colonial Pipeline Company Wednesday, May 12, 2021, in … [+]
ASSOCIATED PRESS
The utility sector gets “hundreds of millions” of phishing expeditions that have a singular aim: extorting money. Now that the Colonial Pipeline has paid $5 million to hackers, the problem is front-page news.
It’s important to distinguish between “state actors” that seek to weaken an adversary’s national defenses or to hurt its economy and “criminal organizations” that steal trade secrets and bribe company officials. The latter attacked the Colonial Pipeline’s computer network, leading to panic and causing gasoline shortages and price spikes. Russian hackers are the culprits. But the thinking is that the Russian government has effectively immunized them. How to deal with the threats?
“Mutually Assured Destruction is applicable,” says Matt Barrett, chief operating officer for CyberESI during a discussion hosted by the United States Energy Association in which this reporter was a panelist. “These are sophisticated, highly distributed, and highly planned attacks. They are gaining a toehold into the organization by phishing and then someone clicks on the links.”
And before anyone realizes it, the invaders sit quietly and undetected in the company’s information technology shelves. While there, they are cutting off backup systems, looking for credit cards, and gaining inside information— even scathing emails exchanged among top executives. They are searching for anything that can be monetized. The best advice? Barrett says that if you are not expecting an email, do not open it and if you do, do not click on the link or open any attachments. “It is about educating those folks that some bad consequences can occur.”
To this end, President Biden would help fund new energy infrastructure and cybersecurity measures as part of his American Jobs Plan, which would pony up at least $20 billion to enhance such efforts. The president just said that he will treat cyber intrusions and ransomware attacks as a national security matter. In other words, what goes around comes around.
But typically, the United States does not admit to such offensive attacks. It never owned up to the “Stuxnet” assault against Iran that wreaked havoc on its nuclear weapons program. When President Biden meets next week with President Putin, the matter will come up. Ukrainians, for example, have suffered a multitude of cyberattacks allegedly by Russians that have left its citizens without power for extended periods. If it happens here, Russia will get a black eye.
“The Colonial Pipeline incident is indicative of the threat,” says Suzanne Lemieux, manager of security for the American Petroleum Institute, at the forum. “Next to the financial sector, we are one of the largest targets. Our critical infrastructure is privately owned but the adversarial nations’ infrastructure is (often) state-owned.”
Moving Target
TGT
At present, 2.7 million miles of existing natural gas pipelines exist in the United States, according to the National Transportation Safety Board. The Department of Homeland Security says that about 100 lines are “vital” to the national interest and if attacked, they must immediately report it to the federal government.
The grid is especially vulnerable, given its vast outreach. Altogether, there are about 5,800 major power plants and 450,000 high-voltage transmission lines in the United States. Because the system is now connected through the Internet, it has become subject to evermore attacks. Roughly 85% of that infrastructure is owned by private entities, which maintain that they have an inherent interest in protecting their assets from outside hazards.
Power companies are on guard and they are developing robust systems that can continue to generate and deliver power if assaulted physically or virtually. The aim is to be proactive — to anticipate what moves the enemy might make. But it is a never-ending battle with each side is always trying to one-up the other. Consider that a loss of power can also take out the drinking water system, the wastewater facility, and the communications infrastructure.
“There are hundreds of millions of attempts,” says Galen Rasche, senior program manager for the Electric Power Research Institute, during the panel discussion. Most organizations have firewalls that block those attempted invasions. But the real risks, he asserts, are targeted and socially engineered — to get employees to divulge passwords, bank accounts, or social security numbers.
Power and gas companies must allocate scarce resources to shield themselves. The smart money is headed to protect against those events that have a low probability of happening but that have huge consequences if they do occur. With that, the National Commission for Grid Resilience has said that this is a public-private effort. The need is too great to depend on private investors who think short-term and who are concerned about quarterly returns.
“We have a role working with utilities about which systems should be automated and which should be manual” to protect against a cyberattack, says Idaho Public Utility Commission President, Paul Kjellander, who is the National Association of Regulatory Utility Commissioners’ president. “There are certain systems that you do not want to make vulnerable,” pointing specifically to hydro facilities.
“We are never done with this,” the commissioner added during the discussion. “We are constantly chasing the target. The target keeps moving. It is always a little smarter than we are. But we can’t put our guards down.”
Energy companies are fully cognizant of the cybersecurity risks and they are being proactive about protecting their assets — all in the name of keeping the lights on and the country’s economy purring along. But organizations are only as strong as their latest patches and their weakest links, which gives the invaders the upper hand. Now that the issue is top-of-mind with this president, though, American enterprise may have a fighting chance.
