In the last week, one of the largest fuel pipelines in the United States has been shut down as it deals with a ransomware attack. This is the highest-profile infrastructure cyber-attack on the energy system in the US, and a reminder that this “new” problem is getting much worse – and will continue to do so. Today we’ll take a look at some implications of this latest attack, and of cyber-risk trends for infrastructure.
Infrastructure Ideas has been writing about infrastructure cyber-risks for some time, and one of our Ten Infrastructure Predictions for 2021 was that these risks would grow for utilities. Unfortunately, we were right. The attack on the Colonial Pipeline, which operates the largest fuel pipeline between Texas and New York, has disrupted availability of gasoline and jet fuel for a week – with long lines at gas stations in some areas, and a state of emergency declared by the Governor of Virginia. The 5,500 mile pipeline carries nearly one-half of the motor and aviation fuels consumed in the Northeast and much of the South (see “What We Know about the Colonial Pipeline Attack,” from the New York Times). Colonial, the pipeline operator, reported that hackers had infiltrated corporate data, not control of the pipeline itself, but that Colonial had shut down operation of the pipeline to prevent further damage and contain risks. The FBI has attributed the hack to a Russia-based criminal group known as “Darkside,” which specializes in ransomware attacks against English-language targets. As of this writing pipeline operations have yet to return to normal.
The Colonial Pipeline ransomware attack is far from the only headline regarding cyber-attacks on infrastructure in the first months of 2021. A report in February from the industrial cybersecurity firm Dragos named four separate hacker groups with ties to Russian intelligence services as having targeted industrial control systems in the United States. One group, named “Kamacite,” reportedly works in cooperation with the GRU, Russia’s largest foreign intelligence agency and has targeted US electricity and oil and gas firms, and is said to have gained network access to firms on several occasions. Another February report, this one from IBM, found the energy sector to be the third most frequently targeted in 2020 (after finance and manufacturing), up six places from 2019. Aside from energy, other attacks have targeted the water sector. An as-yet-unknown hacker gained access to the controls of a water treatment facility in Oldmar, Florida, and attempted (unsuccessfully) to introduce large amounts of lye into the city’s water. In February, an ex-employee of a water company near Little Rock, Arkansas, was indicted for accessing and attempting to disrupt the company’s systems after being let go. In 2020, a likely Iranian hacker was found offering to sell network access to a water treatment plant in Florida over the messaging app Telegram. A recent study profiled in Wired (Water Supply Hacks Are a Serious Threat – and Only Getting Worse) found dozens of hacking incidents at US water installations, with a continued rise over the last decade. Water utilities turn out to be far more vulnerable to cyber-risks, in spite of the focus of most headlines on electric utilities, as so many water utilities are small and lack the administrative capacity and resources to protect themselves against rapidly evolving attack risks.
The underlying dynamics indicate that infrastructure cyber-risks are, unfortunately, getting much worse. For one, the growing use of digital controls to manage electricity and other energy installations opens new entry points for hackers to exploit. Second, the sheer number of actors involved or with the potential to be involved cyber-attacks is growing rapidly: barriers to entry are low, and the trend towards ransomware attracts criminal groups across the board. As one cyber-expert cited in the Dragos report puts it, “A lot of groups are appearing, and there are not a lot going away.” One element of this week’s Colonial Pipeline attack highlights the issue: the group apparently responsible, dubbed “Darkside”, operates on a business model whereby it develops hacking tools and then sells, rents or leases them to other parties. It does not require much imagination to see how this will accelerate the availability of hacking tools. Third, with the multiplication of actors comes a multiplication of targets. One group Dragos has dubbed “Stibnite” has targeted Azerbaijani electric utilities and wind farms using phishing websites and malicious email attachments: if firms in Azerbaijan are becoming targets, firms in places such as Jordan, Indonesia, Mexico and elsewhere cannot be far behind. Utilities in lower-income countries, lacking in managerial and financial resources to adequately defend themselves, utilities in areas of internal or external conflict, attractive targets for political or ideological reasons, and utilities in high-crime countries with already diversified and sophisticated criminal groups, are all going to be at particularly high risk in coming years. Fourth, the types of infrastructure cyber-risks are also expanding. Ransomware attacks are the flavor of the day, and with the proliferation of hacking tools among criminal networks will doubtlessly expand. These are expensive and disruptive, but the damage to date from these attacks has been limited in scope and in time. Yet more aggressive and destructive attacks are unlikely to be far away. As an alarming new book by Nicole Perloth, This is How They Tell Me the World Ends: the Cyberweapons Arms Race (for a short version, see the excellent review by Sue Halpern in the New York Review of Books, “Weaponizing the Web”) points out, an important feature of cyber-weapons is that they are very cheap compared to traditional “hard” weaponry. Perloth tells the story of seeing a young Iranian at a hacking conference in Miami demonstrate how to break into the power grid in five seconds: “With his access to the grid, he told us, he could do just about anything he wanted: sabotage data, turn off the lights, blow up a pipeline or chemical plant by manipulating its pressure and temperature gauges. He casually described each step as if he were telling us how to install a spare tire, instead of a world-ending cyberkinetic attack that officials feared imminent.” Hacking tools can give intruders access to even critical infrastructure such as nuclear facilities, the power grid, and air traffic control. But they are relatively cheap compared with other weapons of mass destruction, and for sale in a market that is robust, largely out of sight, and welcoming to anyone with piles of cash at their disposal, whatever their motivation.
Disruptive technologies continue to change the face of infrastructure. In many cases, this is bringing lower costs, better services, more convenience and reduced emissions. Technology, though, is agnostic: the Colonial Pipeline cyberattack is a reminder that disruption can be negative as well as positive. For infrastructure operators and investors today, there is a clear message from these attacks. Cyber-risks are not going away, and are going to get worse. Investments in cyber-security (the FBI, after the Colonial Pipeline breach, has issued a useful “tip sheet” to key US infrastructure providers), insurance, and the ability to re-launch systems after an attack are all going to be increasingly important. The worst situation will be to be unprepared.