Long lines and dry pumps at gas stations across the East Coast this week alerted Americans to the growing threat of cyberattacks on the systems that control many aspects of their lives and safety.
Security experts say the ransomware attack that led to a five-day shutdown of Colonial Pipeline Co.’s lines supplying fuel to 14 states was just the latest of hundreds of such hacks on critical industries in the past year. Meanwhile, recommendations from security watchdogs that would bolster protections against such threats have gone unheeded.
The tightest security would disconnect critical systems from the internet, experts say, as nuclear plants are required to do. And the government could mandate other security protocols rather than make recommendations with no penalties for non-compliance.
“The United States is one of the few countries that doesn't have any regulation at a national level for cybersecurity for its critical infrastructure,” said Eric Cole, who served on the Center for Strategic and International Studies’ Commission on Cyber Security during the Obama administration and whose book Cyber Crisis comes out next month.
The number of attacks on companies that provide essential services from banking and electricity to ambulances and agriculture has risen steadily over the past decade with more than 250 ransomware assaults launched on U.S. entities considered critical infrastructure in 2020 alone, according to data compiled by Temple University.
Those included railroad systems, courts, jails, police departments, school districts, electric utilities and city halls big and small.
And now, the Colonial Pipeline.
“This is the one people have been warning about for some time, that they could physically incapacitate infrastructure,” Malcolm Nance, a retired Navy counter-terrorism intelligence officer of 35 years and author of multiple books on national security, said of the Colonial hack. “Now we need an all-hands-on-deck review of the entire internet-controlled infrastructure of the U.S. -- that’s oil, that’s gas, natural gas, water.”
There currently are no federal regulations on cybersecurity measures for most private companies – even those that provide vital supplies and services, like oil and gas.
“Some of these sectors are completely voluntary, and there's no cybersecurity standards, and some of them have very rigorous cybersecurity standards,” said Vijay D’Souza, director of information technology and cybersecurity for the U.S. Government Accountability Office.
The electric grid and nuclear power plants, for example, are required to comply with strict cybersecurity standards set forth by regulatory agencies such as the North American Electric Reliability Corporation.
President Joe Biden issued an executive order this week mandating that all federal agencies meet minimum cybersecurity standards, but it did not address private companies such as Colonial that handle critical infrastructure services.
Asked Thursday if he’d impose similar regulations on the oil and gas industry in light of the Colonial hack, Biden said private companies are in charge of their own cybersecurity and he can’t dictate to them. He said efforts including a 100-day electrical system initiative announced in April and parts of his $2 trillion infrastructure plan are intended to encourage more cooperation between these industries and the federal government to beef up cyber security voluntarily.
In the past decade, the GAO made nearly 80 recommendations to government agencies for safeguarding the nation’s critical infrastructure from online security threats. As of March, most hadn’t been implemented, including three pipeline safety recommendations directed at the Transportation Safety Administration.
Citing health care and food systems, D’Souza said lax cybersecurity can “have potentially life-or-death impacts for us.”
“People haven't always treated this with the sense of urgency that's needed,” D’Souza said. “I think, unfortunately, it takes an incident like this Colonial Pipeline for people to kind of wake up.”
The threat has been known for years
As the GAO and others raised the cybersecurity issue over the past decade, prior administrations did not make it a top priority.
During the Obama administration, Cole said, he and other security experts suggested a plan to mandate all critical infrastructure companies disconnect their industrial control computer systems from the internet. Other issues took priority at the time, he said, and the plan was never approved.
“Prior to 2017, the foundational, fundamental rule of security was these systems are always separated, physically separated or air-gapped, from the network which is connected to the Internet,” Cole said. “So you had these systems that did have vulnerabilities that were known and managed but it was on a private isolated network behind fences, guards and guns. So, unless somebody physically violated the perimeter, these systems were kept safe.”
But as more companies fully automated their systems, he said, they began to connect to the internet en masse.
“A lot of these companies in my opinion made the wrong decision and said ‘Let's start interconnecting these together’ and then sort of I always joke: famous last words, ‘what could possibly go wrong?’” Cole said.
Experts such as D’Souza note that government cybersecurity efforts tend to shy away from adding federal regulations for private companies because they get immediate pushback.
In 2016, Obama’s Commission on Enhancing Cybersecurity issued a final report that included 53 recommendations to improve cybersecurity but did not recommend any non-voluntary regulations for critical infrastructure companies.
Since then, Temple University’s data confirms, ransomware attacks like the one that hit Colonial have skyrocketed. There were 15 total ransomware attacks on U.S. critical infrastructure from 2013 to 2015. From 2016 to 2018 there were between 50 and 70, annually before the number jumped to 175 in 2019 and topped 250 last year.
There’s no doubt that the COVID-19 pandemic aided last year’s spike in attacks on those internet-connected systems, said Tad McGalliard, a local government cybersecurity expert and director of research for the International City/County Management Association. cy
“People left their cubicles and boardrooms for kitchen tables and living rooms,” he said. “People were using their own Internet systems which have different kinds of protection. They were maybe not quite as careful in the mad rush to get out of the office last year.”
On February 5, hackers gained access to a Florida water treatment facility through remote access software and tried to poison the water supply. Although the hack was quickly detected, the incident highlighted how the Covid-19 pandemic, in pushing millions to work from home, had increased vulnerability at companies nationwide.
What should be done
Experts said there is a blueprint for what will work to prevent cyberattacks on critical infrastructure companies. Go back to the way things used to be done with separate systems so the computers needed to run a pipeline or a dam aren’t connected to the business computer system or the Internet.
“I'm pushing for the President to do an executive order that says any critical infrastructure (computer) systems must be disconnected from the Internet,” Cole said.
Mike Chapple, professor of IT, analytics and operations at the University of Notre Dame's Mendoza College of Business and a former computer scientist with the National Security Agency, told the Associated Press the same thing. Systems that control pipelines should not be connected to the Internet and vulnerable to cyber intrusions, he said.
"The attacks were extremely sophisticated, and they were able to defeat some pretty sophisticated security controls, or the right degree of security controls weren't in place," Chapple said.
The nuclear power industry already must keep its computer control systems separate, or “air-gapped” from the internet. An air gap means the network of computers that control a reactor, for example, would not be connected in any way to the internet.
According to Temple’s ransomware attack data, there have been zero attacks on nuclear plants.
“We have a model that is very effective at stopping cyberattacks with nuclear, we just are not following it in other areas,” Cole said.
But other experts say the realities of today’s Internet of Things means complete air gapping is no longer realistic.
“No matter how much we scream about air gapping we’re not going back to that,” said Brian Kime, a senior analyst with cybersecurity firm Forrester who works with clients in various critical infrastructure industries.
That’s because integrated systems provide benefits to consumers while cutting costs for businesses, Kime said, citing smart electric and gas meters that make it easier to identify and repair problems.
The key is to implement cyber security plans that minimize the risk of an attack spreading throughout an entire system, Kime said, which can be done through a strategy called “zero trust.”
“There’s an assumed breach,” he said. “We never trust, and we always verify every device, every application, every identity.”
Zero trust also involves isolating facilities and systems within a company’s network so if one part gets hacked, the whole network doesn’t have to shut down.
“Not connecting industrial control systems directly to the Internet that's absolutely recommended best practice in the industrial sector,” Kime said. But at the very least things should be separated in a way that a ransomware attack on the business operation shouldn’t shut down the industrial operation.
“The pipeline network should be able to run without corporate IT,” he said.
Kime agrees the public disruption caused by the Colonial hack is an opportunity “for the government, in my opinion, to step in and enforce some compliance and basic security measures.”
In July 2020, the Cybersecurity and Infrastructure Security Agency under the Trump administration launched a five-year initiative to better protect companies and government agencies from computer attacks that would affect critical functions of “security, national economic security, national public health or safety.”
CISA warned last year that a cyberattack directly on such control systems, “could result in significant physical consequences, including loss of life, property damage, and disruption of the essential services and critical functions upon which society relies.”
However, the plan CISA laid out doesn’t include any specific security mandates for companies performing critical functions. Its goals include strengthening partnerships, collecting better data and developing technology to enable private companies to defend themselves.
Critics of more regulation on private industries say there’s no level of cybersecurity that can stop a determined hacker, so imposing regulations just makes businesses less efficient and more expensive to run, Cole said. But experts said most ransomware attacks are carried out, not by Russia or China, but by less sophisticated organizations that are just seeking money where they can get it.
“Yes, there are some really advanced nation-state threat actors that can't be stopped,” Cole said. “This (Colonial) was not one of them and this was preventable.”
Now is the time to push for stronger protections, he added.
“Everyone who's waiting at gas stations or can't get gas needs to recognize that so they put the proper pressure on the legislature,” he said.
Since lax cybersecurity can affect infrastructure, experts said an easy solution would be to include money for improvements in Biden’s infrastructure plan.
“Put it into the bill,” said Nance, the retired intelligence officer. “Let the U.S. government pay for it.”