Our new Marketplace Crash Course is here to help. Sign-up for free, learn at your own pace.
Colonial Pipeline hack reveals critical infrastructure risks
Share Now on:
Big industrial networks, including the Colonial Pipeline, which has been down for three days following a cyberbreach, fill vital everyday needs such as gasoline, clean water and electricity. Yet these often-aging physical systems are frequently less protected against hackers than corporate information technology networks.
“It’s really a challenge when you have old infrastructure,” said Padraic O’Reilly, co-founder of CyberSaint Security, “because the security tends to be snap-on, ad hoc, reactive, etc.”
Hackers — potentially Russian cybercriminals, according to the FBI — breached the operations of the Colonial Pipeline, which delivers gasoline and diesel to the eastern United States. Operators shut down the line for safety, and if it stays down for a week or more, prices could spike at the pump, analysts fear.
Even though pipelines and power lines serve the public good, companies with shareholders and quarterly earnings run them. They decide how much — or how little — to protect them against digital bad guys.
“They have business objectives to meet, so it’s difficult to justify upgrades on equipment that is running,” said Adam Bixler, global head of third-party cyber risk management at security firm BlueVoyant.
That’s the reality, even though hackers have taken down parts of the power grid in Ukraine, broke into a water-treatment plant in Florida and ruined nuclear centrifuges in Iran.
With Colonial Pipeline, it’s not clear whether the hackers took control of the physical systems, but many analysts say cyberthreat actors have demonstrated they can infiltrate information technology systems and then migrate into physical, operational technology networks.
“I think it’s an open secret that governments around the world have an ‘in’ into other people’s internet systems as well as their major infrastructure,” said Cynthia Quarterman, a former top U.S. pipeline regulator.
The Joe Biden administration plans new cyber rules for agencies and contractors involved in critical infrastructure.
But at the Colorado School of Mines, policy professor Morgan Bazilian said unless rules have teeth and bring about change in the industry, hackers will return.
“If you don’t prioritize something, even with wake-up calls, you don’t get action,” Bazilian said. “And that goes for climate change and cyberattacks and everything else.”
There’s a lot happening in the world. Through it all, Marketplace is here for you.
You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible.
Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.