OPINION: President Joe Biden is scheduled to meet prominent members of industry on 25 August to discuss ways to improve cybersecurity.
While that is all well and good, the US is well beyond the point of mere discussion when it comes to improving the security of its cyber networks.
The horse is not only out of the barn, it has left the pasture — and the federal government and private businesses are just now getting round to closing the barn door.
No industry should be more conscious of the potential dangers caused by hackers than the oil and gas sector but — like others — it has been slow at best to respond to the threat. The attack on the Colonial Pipeline in May jarred the industry, but it should not have.
With new technologies come new threats, which should also mean new defences.
Instead, some in the oil and gas industry have acted recklessly, becoming increasingly reliant on digital technology while not protecting their investments.
Colonial Pipeline’s defences turned out to be ridiculously simplistic. The Russian-aligned hacker group DarkSide found a single password on the dark web and was able to hack into the systems for an 8850-kilometre pipeline system that supplied 45% of the US East Coast’s gasoline.
That was it. No secondary validation, no other backup security measure.
In other words, perhaps less security than it took for you to gain access to your work computer this morning.
It’s no wonder the Department of Homeland Security on 20 July issued new requirements for pipeline operators to implement “urgently needed protections against cyber intrusions”.
Bluntly, it should not take a mandate from the government for pipeline operators to respond to a potential threat from cyberterrorists. But many operators appear to have been blissfully ignorant of the threat facing them.
Colonial Pipeline was reportedly warned that its systems would be easy to access for a hacker of moderate skill, but did nothing until DarkSide’s ransomware attack forced it to shut its systems down.
Are other major pipeline operators, such as Plains All American, Kinder Morgan, Williams and Enterprise Products Partners better prepared for such a scenario?
One would hope so, particularly after the federal authorities' reaction to the Colonial Pipeline incident.
Not all of the blame here belongs to private industry. The federal government under both the Trump and Biden administrations should face its fair share of slings and arrows as well.
The Department of Homeland Security set up the Pipeline Cybersecurity Initiative in October 2018, but it clearly has had little impact if a major pipeline system can be hacked with the theft of a password.
In February 2020, US cybersecurity officials warned of an attack on a natural gas pipeline similar to one launched against Colonial. But beyond a warning, no action was taken.
The Biden administration's belated interest in pipeline cybersecurity is a blunder for a government that boasted it would bring a return to professionalism in Washington.
Within days of hacking Colonial, DarkSide was knocked offline by a cyberattack. Odds are that attack came from the US.
While it’s nice to know someone can play offence, it would be preferable if pipeline operators and the US government learned to play defence — and quickly.
(This is an Upstream opinion article.)