Operational technology systems older than the internet tend to have outdated security and can be difficult to upgrade.
The cyberattack at Colonial Pipeline is a recent example. Hackers had infected the pipeline's information technology systems with ransomware, forcing its owner to stop the flow of 2.5 million barrels a day of petroleum products.
It has led to widespread fuel shortages along the East Coast and prompted an all-of-government response. (Related: Gasoline supplies COLLAPSE across southern states as cyber hack of pipeline wreaks regional economic havoc.)
Digitization has enabled industrial companies and utilities to increase efficiency with greater oversight and control of their sprawling operations, which in the case of the Colonial Pipeline extends 5,500 miles through a network branching from Texas to New Jersey. But vulnerabilities in office IT systems can offer entry points for hackers to later go after control systems.
"I think what happened last week is the most likely model for what is ahead of us," said Chris Williams, cyber solution architect at Capgemini North America.
Analysts say digital adoption has not been matched by sufficient investment in cyber defenses. "Many OT systems still don't have basic security controls," said Simon Hodgkinson, former chief information security officer at BP and a board adviser at the IT security group Reliance.
According to data from Temple University in Philadelphia, critical infrastructure targets in the country have suffered about 700 ransomware attacks since 2019 – including 100 this year.
In February, hackers infiltrated the water supply of a city in Florida. This month, they disrupted a San Diego hospital chain.
Last year, hackers forced an unnamed natural gas compressor station to shut down, U.S. cyber officials said.
In addition, software from the IT company SolarWinds was breached, allowing hackers to access communications and data in several government agencies.
Matias Katz, chief executive of the cybersecurity group Byos, estimated that only a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, are properly braced for an attack.
A recent survey by Siemens found that just 31 percent of utilities felt well prepared to respond to a breach.
"The problem is that attacks move a lot faster than industries that are quote-unquote 'old school' are used to moving," Katz said. "So, the speeds are different, and before slower-moving industries can catch on, there's already a new attack out there and new threats."
But reconfiguring traditional security systems to account for the ever-changing nature of cyber threats is costly.
Padraic O'Reilly, an infrastructure cybersecurity adviser and co-founder of the cyber risk firm CyberSaint, said companies need to avoid "patching" or "snapping on" security systems. They need to transition into newer systems where security had been built in, but "the problem with that is that it's very expensive," O'Reilly said.
Pipeline infrastructure is largely operated by private capital, meaning there is often a drive to cut costs where possible.
"Over time, as we get more financially based players investing in energy infrastructure, replacing energy companies themselves, the higher the impulse will be to cut costs," said Amy Myers Jaffe, a professor at Tufts University's Fletcher School and author of the book Energy's Digital Future. "And that will be dangerous if cutting costs are done without enough care to the huge requirements for security."
Industry experts are urging the government to ensure that critical infrastructure companies are prepared for attacks and to help them respond to attacks.
Colonial Chief Executive Joseph Blount recently told the Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems. Blount said it was an option he felt he had to exercise given the stakes involved in a shutdown of such critical energy infrastructure.
"I know that's a highly controversial decision. I didn't make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this," Blount said. "But it was the right thing to do for the country."
The oil and gas sector has been criticized for lax cybersecurity regulation. Standards for American pipeline infrastructure are set by the Transportation Security Administration (TSA), the government agency in charge of airport screenings that has been traditionally understaffed and underfunded.
TSA had just six full-time staff members dealing with pipeline security until last year. That number has since increased to 34.
Rich Glick, chair of the Federal Energy Regulatory Commission (FERC), said last week that while stringent cyber regulations applied to the power grid, "there are no comparable mandatory standards" for the almost 3 million miles of pipelines in the country. FERC is responsible for setting cybersecurity rules for the electricity grid.
According to FERC Commissioner Neil Chatterjee, responsibility should be stripped from the TSA and shifted to the Department of Energy. "I was worried about the economic and national security implications of such an attack and we're seeing that in real time with what happened with Colonial," he said.
The American Petroleum Institute, an oil lobby group, wants future cybersecurity policies to "be focused on improving information-sharing and collaboration between the public and private sectors."
Government agencies may go further. Calling the Colonial Pipeline hack a "stark reminder" of the need to harden critical infrastructure, Energy Secretary Jennifer Granholm said on Wednesday, May 19, that "in the face of an evolving array of 21st-century risks, we have to rethink our approach to security, and to reassess the authorities that we can bring to bear during these kinds of emergencies."
President Joe Biden has taken steps to tighten cybersecurity for key projects. Biden this week said he would tie $20 billion in infrastructure investments under his proposed American Jobs Plan to commitments to modernize cybersecurity.
On May 12, Biden signed an executive order aimed at strengthening the country's cybersecurity defenses. The president's executive order calls for the federal government and private sector to partner in confronting "persistent and increasingly sophisticated malicious cyber campaigns" that threaten national security.
Follow Glitch.news for more news and information related to cyberattacks and hacking.
Sources include: