Despite the fierce sense of independence that runs through American life, we have built one of the largest infrastructures for transportation, commerce, and societal comfort. It is relied on daily by hundreds of millions of people. By virtue of America’s post-World War II success, it has also become a major target by its adversaries. In the modern era of the internet, the ability to attack any country within its borders without having to launch an actual invasion has been made rather simple. Knocking out the critical infrastructure of a country becomes almost a sport for some countries. However, what happens when a critical infrastructure provider is brought down? We just found out.
Colonial Pipeline, the United States’ largest petroleum pipeline running from the Gulf of Mexico through the eastern seaboard, recently suffered a ransomware event. The pipeline stopped flowing gas to petroleum suppliers and distributors and panic ensued. Americans all over the country, not just those in the seventeen states (and Washington D.C.) that are dependent on Colonial, panicked and swarmed gas stations to begin the process of hoarding gas. People were filling up their vehicles, and also any type of container they could use including those made of plastics which gasoline may be able to dissolve. Gas stations ran out of gas and citizens were fighting at the pumps over their position in line to ensure they’d make the cut. It was mostly chaos in the southeastern part of the country for the days that the pipeline was down though reports of panicked buying were appearing all over, even on the other side of the country.
But here’s the thing: The Pipeline itself technically wasn’t hacked. I would know; I am the CEO and chief security officer at a private cybersecurity firm that was contracted by a company in Colonial’s supply chain following the ransomware attack.
The Operational Technology (O.T.) network that ran the pipeline to ensure that the petroleum kept flowing wasn’t affected by the threat actors who hit Colonial Pipeline. What was infected with ransomware was the billing system on a separate Information Technology (I.T.) network. Colonial Pipeline decided to stop the flow of gas because they wouldn’t know how to charge their distributors and suppliers that were receiving the gas from the pipeline. Saddled with the choice of stopping the flow of gas to about one-third of the United States to make it easier for them in terms of billing purposes versus allowing the gas to flow and then figure out the costs later with their insurance company, they chose the national panic option.
This situation underscores a multitude of issues that the United States currently has with its critical infrastructure and its providers. Petroleum providers, while regulated under the Federal Energy Regulatory Commission or FERC, are not regulated in the same way as a public utility despite the level of criticality gasoline and other petroleum products have to the daily survival of the United States. This allowed Colonial Pipeline to make this decision without being nearly as bound to regulatory law as other critical sectors.
This situation also shows gaps in the response of the federal government’s ability to spin up the Strategic Petroleum Reserves, the world’s largest supply of emergency crude oil, to fill the gap while Colonial was out. The Department of Transportation issued an emergency order to allow supply trucks to run day and night to fill the gap though there was no way that could be as effective as a pipeline moving petroleum rapidly all over the eastern seaboard.
This issue also brings up data breach disclosure laws for critical infrastructure. If the public wasn’t aware of this cyber-attack gas stations would not have been overrun and there would have been no shortage or price increases. The twenty-four news media wouldn’t have seen hyper-partisan articles that tend to rile up their respective bases like “Exclusive — Mike Pompeo: Biden Has Unleashed Myriad Crises on America, World, Republicans Must ‘Never Give An Inch’” or “Deniers Scramble to Blame Biden For Colonial Pipeline As Hydrocarbons Prove Unreliable Again.” Basically, if the world didn’t know this attack happened as quickly as it did, business as usual would have prevailed.
Multiple states including California, New York, Illinois, Oregon and others have data breach disclosure requirements that businesses and organizations must adhere to for reporting compliance otherwise they are susceptible to possible fines, prosecution, or worse. However, certain considerations must be made to ensure the general stability of society and critical infrastructure providers do not have an exemption at the moment. It’s one thing to be angry with your dentist when their small practice gets its five hundred patients’ health information hacked. It’s another when 100 million people mistakenly are led to believe they will not have gas for their cars for the foreseeable future and spark a national panic.
How do you reason with a mob, which is essentially what this situation created in pockets of the United States? Sadly, situations like this are as old as human society itself. Remember not long ago when COVID-19 hit around March of 2020, the United States saw panicked buying of toilet paper.
This panic underscores the need for the federal government to harden its critical infrastructure and ensure that those private corporations that supply the infrastructure fall under a different set of rules for physical and cybersecurity as well as reporting requirements. The general public has to be informed of situations like this; however, this is the rare exception where retroactive information is the more appropriate response.
Recently, the Biden administration released a rather aggressive cybersecurity Executive Order designed to whip federal agencies into shape when it comes to applying technical, physical, and administrative security controls to help prevent further intrusions into government entities. These policies are designed to prevent hacks against critical government contractors, like when Russian intelligence was able to leverage vulnerabilities in the private IT software provider SolarWinds to attack government agencies. This order created aggressive timelines for implementation and also for reporting by all agencies. What is missing from the equation is the sectors of private businesses – like Colonial Pipeline – that help keep the infrastructure of the entire country running.
The current regulatory compliances for cybersecurity, in my professional opinion, are not stringent enough though in roughly the next decade we may see those changes thanks to the Department of Defense’s new Cybersecurity Maturity Model Certification (or CMMC). This new standard, based off of a living cybersecurity framework known as NIST 800-171 that many have paid no more than lip service to for years, requires the entire Defense Industrial Base, around 300,000 private companies, to actually get certified in cybersecurity to a rather aggressive level. There is an expectation that this model will be adopted by the entire federal government and hopefully push this down to the critical infrastructure suppliers. Already NASA, Homeland Security and Treasury are looking at adopting this standard so it’s only a matter of time.
Colonial Pipeline teaches the world there is a rather thin line between the normal functionality of society versus possible anarchy when the expectations of supply are simply not met. If this isn’t an eye-opening event that underscores the need for better cyber hygiene, I don’t know what is.
Nick Espinosa
Nick is the founder and CEO of Security Fantatics, the Cybersecurity/Cyberwarfare division of BSSi2dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations. As a member of the Board of Advisors for Roosevelt University’s College of Arts and Sciences as well as their Center for Cyber and Information Security, the Official Spokesperson for the COVID-19 Cyber Threat Coalition and a board member of Bits N’ Bytes Cybersecurity Education as well as Strategic Cybersecurity Advisor for the Private Directors Association, Nick helped to create an NSA certified curriculum that will help the Cybersecurity/Cyberwarfare community to keep defending our government, people and corporations from Cyber threats globally. In 2017 Nick was accepted into the Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives, and is a regular contributor of articles which are published on forbes.com as well as smerconish.com.