Colonial’s Pipeline Infrastructure Wasn’t Hacked, Its Billing Was. That Was Enough.

 


A Colonial Pipeline Co. gas terminal (Photo by Orbital Joe | Flickr)

A Colonial Pipeline Co. gas terminal (Photo by Orbital Joe | Flickr)

Despite the fierce sense of independence that runs through American life, we have built one of the largest infrastructures for transportation, commerce, and societal comfort. It is relied on daily by hundreds of millions of people. By virtue of America’s post-World War II success, it has also become a major target by its adversaries. In the modern era of the internet, the ability to attack any country within its borders without having to launch an actual invasion has been made rather simple. Knocking out the critical infrastructure of a country becomes almost a sport for some countries. However, what happens when a critical infrastructure provider is brought down? We just found out.

 

Colonial Pipeline, the United States’ largest petroleum pipeline running from the Gulf of Mexico through the eastern seaboard, recently suffered a ransomware event. The pipeline stopped flowing gas to petroleum suppliers and distributors and panic ensued. Americans all over the country, not just those in the seventeen states (and Washington D.C.) that are dependent on Colonial, panicked and swarmed gas stations to begin the process of hoarding gas. People were filling up their vehicles, and also any type of container they could use including those made of plastics which gasoline may be able to dissolve. Gas stations ran out of gas and citizens were fighting at the pumps over their position in line to ensure they’d make the cut. It was mostly chaos in the southeastern part of the country for the days that the pipeline was down though reports of panicked buying were appearing all over, even on the other side of the country.

 

But here’s the thing: The Pipeline itself technically wasn’t hacked. I would know; I am the CEO and chief security officer at a private cybersecurity firm that was contracted by a company in Colonial’s supply chain following the ransomware attack.

 

The Operational Technology (O.T.) network that ran the pipeline to ensure that the petroleum kept flowing wasn’t affected by the threat actors who hit Colonial Pipeline. What was infected with ransomware was the billing system on a separate Information Technology (I.T.) network. Colonial Pipeline decided to stop the flow of gas because they wouldn’t know how to charge their distributors and suppliers that were receiving the gas from the pipeline. Saddled with the choice of stopping the flow of gas to about one-third of the United States to make it easier for them in terms of billing purposes versus allowing the gas to flow and then figure out the costs later with their insurance company, they chose the national panic option.

This situation underscores a multitude of issues that the United States currently has with its critical infrastructure and its providers. Petroleum providers, while regulated under the Federal Energy Regulatory Commission or FERC, are not regulated in the same way as a public utility despite the level of criticality gasoline and other petroleum products have to the daily survival of the United States. This allowed Colonial Pipeline to make this decision without being nearly as bound to regulatory law as other critical sectors.

 

This situation also shows gaps in the response of the federal government’s ability to spin up the Strategic Petroleum Reserves, the world’s largest supply of emergency crude oil, to fill the gap while Colonial was out. The Department of Transportation issued an emergency order to allow supply trucks to run day and night to fill the gap though there was no way that could be as effective as a pipeline moving petroleum rapidly all over the eastern seaboard.

 

This issue also brings up data breach disclosure laws for critical infrastructure. If the public wasn’t aware of this cyber-attack gas stations would not have been overrun and there would have been no shortage or price increases. The twenty-four news media wouldn’t have seen hyper-partisan articles that tend to rile up their respective bases like “Exclusive — Mike Pompeo: Biden Has Unleashed Myriad Crises on America, World, Republicans Must ‘Never Give An Inch’” or “Deniers Scramble to Blame Biden For Colonial Pipeline As Hydrocarbons Prove Unreliable Again.” Basically, if the world didn’t know this attack happened as quickly as it did, business as usual would have prevailed.

 

Multiple states including California, New York, Illinois, Oregon and others have data breach disclosure requirements that businesses and organizations must adhere to for reporting compliance otherwise they are susceptible to possible fines, prosecution, or worse. However, certain considerations must be made to ensure the general stability of society and critical infrastructure providers do not have an exemption at the moment. It’s one thing to be angry with your dentist when their small practice gets its five hundred patients’ health information hacked. It’s another when 100 million people mistakenly are led to believe they will not have gas for their cars for the foreseeable future and spark a national panic.

 

How do you reason with a mob, which is essentially what this situation created in pockets of the United States? Sadly, situations like this are as old as human society itself. Remember not long ago when COVID-19 hit around March of 2020, the United States saw panicked buying of toilet paper.

 

This panic underscores the need for the federal government to harden its critical infrastructure and ensure that those private corporations that supply the infrastructure fall under a different set of rules for physical and cybersecurity as well as reporting requirements. The general public has to be informed of situations like this; however, this is the rare exception where retroactive information is the more appropriate response.

 

Recently, the Biden administration released a rather aggressive cybersecurity Executive Order designed to whip federal agencies into shape when it comes to applying technical, physical, and administrative security controls to help prevent further intrusions into government entities. These policies are designed to prevent hacks against critical government contractors,  like when Russian intelligence was able to leverage vulnerabilities in the private IT software provider SolarWinds to attack government agencies. This order created aggressive timelines for implementation and also for reporting by all agencies. What is missing from the equation is the sectors of private businesses – like Colonial Pipeline – that help keep the infrastructure of the entire country running.

 

The current regulatory compliances for cybersecurity, in my professional opinion, are not stringent enough though in roughly the next decade we may see those changes thanks to the Department of Defense’s new Cybersecurity Maturity Model Certification (or CMMC). This new standard, based off of a living cybersecurity framework known as NIST 800-171 that many have paid no more than lip service to for years, requires the entire Defense Industrial Base, around 300,000 private companies, to actually get certified in cybersecurity to a rather aggressive level. There is an expectation that this model will be adopted by the entire federal government and hopefully push this down to the critical infrastructure suppliers. Already NASA, Homeland Security and Treasury are looking at adopting this standard so it’s only a matter of time.

 

Colonial Pipeline teaches the world there is a rather thin line between the normal functionality of society versus possible anarchy when the expectations of supply are simply not met. If this isn’t an eye-opening event that underscores the need for better cyber hygiene, I don’t know
what is.


Share With Your Connections
Share With Your Connections

More Exclusive Content

We welcome for consideration all submissions that adhere to three rules: nothing defamatory, no snark, and no talking points. It’s perfectly acceptable if your view leans Left or Right, just not predictably so. Come write for us.

Write for Smerconish.com
Get the Latest News from Smerconish.com in Your Inbox
This field is for validation purposes and should be left unchanged.

By submitting this form, you are consenting to receive marketing emails from: Smerconish.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact