Colonial Pipeline hack reveals critical infrastructure risks
Share Now on:
Big industrial networks, including the Colonial Pipeline, which has been down for three days following a cyberbreach, fill vital everyday needs such as gasoline, clean water and electricity. Yet these often-aging physical systems are frequently less protected against hackers than corporate information technology networks.
“It’s really a challenge when you have old infrastructure,” said Padraic O’Reilly, co-founder of CyberSaint Security, “because the security tends to be snap-on, ad hoc, reactive, etc.”
Hackers — potentially Russian cybercriminals, according to the FBI — breached the operations of the Colonial Pipeline, which delivers gasoline and diesel to the eastern United States. Operators shut down the line for safety, and if it stays down for a week or more, prices could spike at the pump, analysts fear.
Even though pipelines and power lines serve the public good, companies with shareholders and quarterly earnings run them. They decide how much — or how little — to protect them against digital bad guys.
“They have business objectives to meet, so it’s difficult to justify upgrades on equipment that is running,” said Adam Bixler, global head of third-party cyber risk management at security firm BlueVoyant.
That’s the reality, even though hackers have taken down parts of the power grid in Ukraine, broke into a water-treatment plant in Florida and ruined nuclear centrifuges in Iran.
With Colonial Pipeline, it’s not clear whether the hackers took control of the physical systems, but many analysts say cyberthreat actors have demonstrated they can infiltrate information technology systems and then migrate into physical, operational technology networks.
“I think it’s an open secret that governments around the world have an ‘in’ into other people’s internet systems as well as their major infrastructure,” said Cynthia Quarterman, a former top U.S. pipeline regulator.
The Joe Biden administration plans new cyber rules for agencies and contractors involved in critical infrastructure.
But at the Colorado School of Mines, policy professor Morgan Bazilian said unless rules have teeth and bring about change in the industry, hackers will return.
“If you don’t prioritize something, even with wake-up calls, you don’t get action,” Bazilian said. “And that goes for climate change and cyberattacks and everything else.”
We’re here to help you navigate this changed world and economy.
Our mission at Marketplace is to raise the economic intelligence of the country. It’s a tough task, but it’s never been more important.
In the past year, we’ve seen record unemployment, stimulus bills, and reddit users influencing the stock market. Marketplace helps you understand it all, will fact-based, approachable, and unbiased reporting.
Generous support from listeners and readers is what powers our nonprofit news—and your donation today will help provide this essential service. For just $5/month, you can sustain independent journalism that keeps you and thousands of others informed.