Colonial Pipeline And What It Will Take To Keep America's Grids Secure

The shutdown of the Colonial Pipeline revealed a troubling weakness — most of the nation's critical infrastructure is owned by private sector companies, and most of that infrastructure is vulnerable to cyberattack. What will it take to keep pipelines and grids secure?  

Nicole Perlroth, cybersecurity reporter for the New York Times. Guest lecturer at Stanford Graduate School of Business. Author of "This Is How They Tell Me the World Ends." (@nicoleperlroth)

Mark Montgomery, executive director of the Cyberspace Solarium Commission, a bipartisan, intergovernmental body. (@MarkCMontgomery)

Kiersten Todt, managing director of the Cyber Readiness Institute. (@kierstentodt)

On how the Colonial Pipeline cyberattack happened

Nicole Perlroth: “I don't know if they even know how the ransomware came in. You know, we always talk about Patient Zero. We don't know who Patient Zero was in this attack. But I would not be surprised if it ended up being some kind of spearfishing incident where they sent someone a link, or attachment, or got them to enter their login credentials somewhere, or tested dumb passwords across their employees login credentials. So we still don't know. But what we do know is that the ransomware hit their IT systems.

“And as a precautionary measure, they went ahead and shut down the pipeline. Either because they didn't have confidence in the separation between their IT systems in the pipeline, or we're hearing that they also wanted to be able to do billing and they couldn't do billing. They couldn't charge for gas or track how much gas was flowing out of the pipeline with their billing system shut down. And so they took that preemptive step of shutting down their operation. And unfortunately, what we have here is a new playbook for any adversary that would like to cause significant disruption or uncertainty to the United States with a degree of plausible deniability.”

What could happen if a ransomware attack did indeed take that next step?

Nicole Perlroth: “It’s a really disturbing case because I think continually in cyber, especially for the last 10 years, we've really underestimated what adversaries can do with really basic means. And in this case, it was a ransomware group that was just coming for their IT systems. And we don't think that they had any intention of shutting the operation down.

"But we have seen attacks, usually from Russia over the last five years, where Russia got into a petrochemical plant in Saudi Arabia. And took it as far as dismantling the safety locks, which are the very last thing from staving off some kind of explosion. Fortunately, thank God, in the process, they basically triggered a shutdown of the whole plant. So things actually function the way that they should and we were able to learn about it. But why were they inside a Saudi petrochemical plant trying to shut off the safety locks?

"Well, I think what they were doing is they were testing out their capabilities for some future hybrid warfare situation. And for now, we don't see Russia really having the impetus to use those capabilities here in the United States. But what just happened with this ransomware group, holding this IT system hostage, forcing the company to shut off operations, offers them a little bit of a more clever playbook. In that so long as these attacks keep coming from ransomware and having similar impacts, there is a playbook there.”

On how vulnerable the U.S. is to cyberattack

Mark Montgomery: “I would say it's extremely inconsistent, but generally poor. And what I mean by that is the federal government tends to look at the national critical infrastructure, which … is 85% privately owned and operated. We look at it as 16 critical infrastructures. Financial services, electrical generation and production, water and wastewater services, telecommunications pipelines, on and on. It is broadly inconsistent.

"And a good example is financial services. Where some of our largest banks have extremely high levels of cyber investment, there are banks with more than $500 million a year and annual cybersecurity budgets. And they run operation centers that would make a military three or four star envious. So those are high levels. Then you have other levels like our ... wastewater systems, where there's really no investment, limited investment in cybersecurity. We saw in the pipeline systems that were incredibly vulnerable. So it's an inconsistent grade, but generally poor.”

On how to protect critical infrastructure

Mark Montgomery: ”The first thing I'd say is, we kind of look at this challenge as a three-legged stool. The first is technology. We have to have better investment in the cybersecurity defenses of our critical infrastructure. That begins with the companies themselves. They have to acknowledge that we have both threats from criminals, such as ransomware, but also from nation states, depending on which industry you're in. And that you have to make the investments in that. And look, a lot of companies like Colonial have benefited from the automation that this interconnectivity brings.

"There's much less workers on the station, operating valves and starting and stopping pumps. But the question is, are those companies taking those significant savings and making the appropriate, much smaller investments in cybersecurity? And the answer in a lot of cases has been no. So first and foremost, you have to invest in the technology. The second leg of the stool is processes. You have to put in the policies, whether it's the information sharing with the government, whether it's reporting incidents, it's how you run your business, cyber hygiene to make yourself less vulnerable. But the processes.

"And the third one's the people. And this is one that gets almost no attention. But the reality is both inside the government and inside the broader national infrastructure, we're short about 33% of cybersecurity experts. So in the United States, that's about 350,000. And the U.S. government, it's about 35,000. That is a significant shortfall. So we have to make the investments in training and education programs that entices middle school and high school kids into the cybersecurity environment. And then provides a way to recruit from colleges into the federal government. So technology, processes, people. You have to tackle all three. And frequently you only hear about one or two in a legislative proposal or executive branch action.”

On the impact of the Colonial Pipeline attack

Kiersten Todt: “It's hard to assess the impact. We've talked often about what's the cyber event that's going to change minds. And every time there is one that we think is significant, it doesn't quite do the job. But I'll tell you what's been unique about this particular event. We saw the president of the United States have a press conference on a cybersecurity issue as it was happening. That was notable, that it certainly was rising to the surface. At the same time, we saw the most comprehensive executive order and most prescriptive executive order on cybersecurity that we've ever seen.

"But the other piece was we saw as an individual, I live in the Commonwealth of Virginia. And in a matter of days, we heard about how a company wasn't securing its data in a very cybersecurity type language, not patching or wherever the weak authentication was that created the access. And that translated in record time to people waiting in line to get gas.

"And there was that reminder for those of us that were young at the time but could remember what happened to President Carter when there were long lines at the gas station. There is that very visual impact. And we haven't actually had that in cybersecurity in that direct way. And, you know, I'm an optimist by nature. I'm reluctant to say this is the turning point, or this is the game changer. But certainly that connection is one of the more direct connections that we've seen impacting Americans in a very real way.”

Originally published on Literary Hub. Excerpted from This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Used with permission of the publisher, Bloomsbury. Copyright © 2021 by Nicole Perlroth. 

New York Times: "Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers." — "Colonial Pipeline paid its extortionists roughly 75 Bitcoin, or nearly $5 million, to recover its stolen data, according to five people briefed on the transaction."

New York Times: "Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity" — "For years, government officials and industry executives have run elaborate simulations of a targeted cyberattack on the power grid or gas pipelines in the United States, imagining how the country would respond."

Tech Republic: "Biden's executive order faces challenges trying to beef up US cybersecurity" — "The EO is designed to protect federal networks, foster information sharing between the government and private sector, and better respond to cyber incidents. But will it do the trick?"