Crippling Ransomware Attack on Pipeline Exposes Vulnerabilities in U.S. Critical Infrastructure
Colonial Pipeline, a company that transports more than 100 million gallons of gasoline and other fuel daily across 14 states from Houston to New York Harbor, shut down the pipeline last Friday after discovering ransomware on its computer systems. The FBI has blamed the attack on a ransomware group called DarkSide.
The hack reportedly began last Thursday when hackers stole about 100 gigabytes of data as part of a double extortion scheme. After stealing the data, the hackers then locked Colonial’s computers. Darkside threatened to publish the stolen data online and to keep the computers locked unless Colonial paid an unknown ransom amount.
Colonial Pipeline notified the FBI of the attack on Friday morning and is cooperating with the investigation. The FBI also brought into the investigation the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies that regulate energy and infrastructure. The FBI and other government agencies are still awaiting access to the company’s security protocols to determine how hackers pulled off the crippling ransomware attack.
U.S. critical infrastructure has been the target of an increasing number of cyberattacks. Earlier this year, an unknown hacker breached the access controls at the Oldsmar, Florida, water treatment plant, in an attempt to poison the city’s water supply with lye. In 2020, an unnamed natural gas compressor facility was shut down for two days due to a cyberattack. Several natural gas pipeline operators had service interruptions in 2018, when a technology vendor that facilitated electronic communications between the operators was hacked.
Many members of Congress and the Biden Administration agree that making cybersecurity improvements is essential for the nation’s critical infrastructure, including our electric grid, local energy and utility companies, water treatment plants, and wastewater facilities. All of these operators face significant challenges to make such improvements, including sufficient funding, staffing and training. In addition, even though the federal government adopted cybersecurity requirements for certain infrastructure operators, funding shortages can result in very little oversight and inspection to make sure operators are complying with the requirements. Some states, like Connecticut, have adopted requirements for certain infrastructure as well as provided funding to make sure operators in the state are complying.
In addition, it is recognized that our cybersecurity standards need updating. The Biden Administration has proposed significant funding for the National Institute of Standards and Technology (NIST) to work with industry, science, and government to evaluate and improve the standards for our critical infrastructure.