Colonial Pipeline Co. sent a wave of panic from Texas to New Jersey last spring when company executives decided how they would respond to hackers: They shut down the pipeline, cutting off the flow of gasoline and other fuels to the East Coast.
Colonial CEO Joseph Blount testified before Congress that the decision had to be made. Had the insidious form of malware traveled from Colonial’s business computers to the pipeline’s control technology, Blount said, all bets were off. Gas shortages that lasted a week could have stretched for months.
The decision in May to close a major fuel spigot set off alarm bells across the energy sector. The hack affecting Colonial’s 5,500-mile pipeline system provided a stark reminder of how easily a group of online criminals, looking to make an easy buck, could undermine the U.S. energy system.
Colonial — 2021’s most striking example of America’s vulnerability in the digital age — set the stage for a 2022 that could bring significant changes to government oversight and industry self-policing.
For years, energy companies of all stripes have resisted government cybersecurity mandates. That is beginning to change in the post-Colonial era.
The Biden administration launched several initiatives aimed at beefing up the capacity of federal agencies to manage the threat against critical infrastructure. Biden appointed Chris Inglis as the national cyber director, tasked with coordinating U.S. cybersecurity strategy. And the White House issued an executive order revamping federal digital defense.
Here are four cybersecurity trends to keep an eye on in 2022:
Ransomeware plague
In a few short years, ransomware transformed from a middling concern to a major problem for companies.
The attack on the Colonial pipeline by the DarkSide ransomware group resulted in multiple hearings on Capitol Hill delving into issues around the security of energy infrastructure.
Ransomware has plagued everything from electric utilities to local government agencies.
An electric cooperative in Colorado was hit by a suspected ransomware attack in November that led to a 90 percent loss of internal networks (Energywire, Dec. 6, 2021). During the same month, wind energy giant Vestas Wind Systems A/S was hit by a cyberattack (Energywire, Nov. 22, 2021).
There appears to be little end in sight. A recent report from cybersecurity firm Mandiant noted that “the business of ransomware is simply too lucrative” for cyber criminals to ignore. Mandiant also warned that criminal hackers will likely keep exploring operational technology in the coming year “and increasingly use ransomware in their attacks.”
Gift from the gods: Log4j
The tail end of 2021 capped a year full of historic cybersecurity challenges. A vulnerability discovered in early December in the Java-based Log4j software component was described by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), as “the most serious vulnerability that I’ve seen in my decadeslong career.”
In a joint alert, the FBI; CISA; National Security Agency; and security agencies representing Australia, Canada, New Zealand and the United Kingdom warned that “sophisticated cyber threat actors are actively scanning networks to potentially exploit” the Log4j vulnerability. CISA also issued an emergency directive mandating that all federal agencies patch the vulnerability by the end of December.
Log4j is a ubiquitous software vulnerability that can be easily exploited. But for the energy sector, it’s not as simple as uploading the latest patch. Experts have noted that it may be months to years before the vulnerability is fixed and its full impact is known (Energywire, Dec. 14, 2021).
“If you’re running Hoover Dam or you’re running a chemical process,” said Chris Grove, cybersecurity strategist at industrial cybersecurity firm Nozomi Networks, “then the ramifications of reconfiguring and rebooting or even getting access to a patch is greater, and so is the risk.”
Security analysts say well-known hackers are taking advantage of the vulnerability. But the energy sector has yet to see attacks that could turn the lights out, according to the Electricity Information Sharing and Analysis Center, the power industry’s security clearinghouse.
Supply chain and software breaches
The Log4j software vulnerability is only the most recent wake-up call for an energy industry that’s reliant on global supply chains for everything from security software to solar panels.
The Russia-linked cyberespionage campaign that exploited SolarWinds software prompted the White House last year to issue an executive order targeting the software supply chain. Among other things, it requires software vendors to provide what’s called a software bill of materials — a list of components in software similar to a list of ingredients in a recipe.
“We have great visibility into federal networks. We do not have visibility into critical infrastructure,” said Easterly, the CISA director, during an advisory call.
A software bill of materials is a step toward having a better understanding of what risks come with software, but it’s not the silver bullet, said Ron Brash, vice president of technical research at aDolus Technology Inc.
“Most energy companies, even the large ones, do not have the ability to even look at a software bill of materials and see what’s at risk,” Brash said.
The Department of Energy released a request for information over a number of global supply chain issues, one of which is cybersecurity. But the energy sector has been grappling with federal supply chain policies since the Trump administration, some of which stem from trade tensions with China.
“It’s extremely positive that we’re taking such a broad-based view of supply chain and looking at the competitive landscape to not necessarily immediately, overnight, alienate certain countries,” said Tobias Whitney, a vice president at cybersecurity firm Fortress Information Security. “I think that was the challenge with the prohibition order of the previous administration.”
Jim Cunningham, executive director of Protect Our Power, said the first half of 2022 could say a lot about the direction of federal policy on supply chain issues.
Legislation and mandates
Members of Congress issued a slew of legislation in 2021 aimed at shoring up U.S. defenses against hackers. Some of it ended up in the National Defense Authorization Act.
However, the bipartisan cyber incident notification bill expected to land in the NDAA faced a last-minute hurdle when Sen. Rick Scott (R-Fla.) objected. Scott was concerned that a cyber incident notification requirement could be a burden to small businesses. It never made it into the bill.
Rep. Jim Langevin (D-R.I.), who recently announced he is not running for reelection, told E&E News that the cyber incident notification bill is one of his priorities this year (Energywire, Jan. 19).
Norma Krayem, a cybersecurity expert at Van Scoyoc Associates, said Congress should return to the reporting mandate, which applied to electric utilities. She noted that lawmakers are also exploring how to best protect infrastructure that’s deemed supercritical to the U.S. economy.
Dubbed “systemically important critical infrastructure” by lawmakers and “primary systemically important entities” by CISA, the efforts will be aimed at ensuring that the backbone keeping the U.S. economy going has both resources and federal attention.
“Hopefully, those efforts will be synced up, but there are expectations that this new category would have new regulatory mandates put on any entity that is given this designation,” Krayem said.
Rep. John Katko (R-N.Y.) introduced H.R. 5491, which would authorize CISA to identify critical infrastructure owners and operators. Easterly has supported the bill, saying the agency expects 150 to 200 entities to make the list.