Cyber and the Energy Transition with Randy Bell of the Atlantic Council
Randy Bell, Director of the Global Energy Center at the Atlantic Council, joined us for an informative discussion. He addresses the digital threats that already face traditional energy sources and how much more those threats multiply when we move towards smart grids and smart thermostats.
Listen to the full episode now!
While many might associate cybersecurity with passwords or data breaches, events of recent years—most notably the Colonial Pipeline ransomware attack—have now made cybersecurity a common topic of conversation. What many people don’t see is that it’s not just our current energy grid and legacy energy systems that are at risk for cybersecurity attacks: the clean energy systems and smart devices of the future connected to that new grid are even more susceptible to attack, as they will be far more digitally connected than our current legacy systems.
That’s why we recently sat down with Randy Bell of the Atlantic Council to get a better sense of the state of play when it comes to cybersecurity and energy. One of the first items he referenced was the Colonial Pipeline attack.
Colonial Pipeline Attack
In May 2021, Georgia-based Colonial Pipeline suffered a ransomware cyberattack. Colonial’s cybersecurity measures halted all pipeline operations in order to contain the attack. This pipeline system originates in Houston and carries gasoline and jet fuel from Texas all the way to New Jersey.
The ransom requested was 75 bitcoin (BTC) which was worth approximately $4.4M at the time. Colonial paid this ransom within several hours and was then given a software application to restore the network, but the network did not initially operate at regular speed. Because Colonial kept a lot of information guarded, panic buying and shortages occurred.
This was the largest cyberattack on an oil infrastructure target in the history of the US.
Security and Resiliency
The Colonial Pipeline attack (and others that have happened since) underlines a message that Randy consistently preaches: security and resiliency.
The threats to the security of organizations are endless. There are phishing emails, uneven security software updates across a network, and leaked login information, to name a few. Of course all organizations have to put best practices in place, and more importantly, explain why it matters to the company: what the financial and legal consequences of a successful cybersecurity attack would mean. But even the best-protected security can sometimes fail. That’s where resilience comes in.
When a failure happens, it needs to happen gracefully and a plan to get the system up and operational as quickly as possible has to be in place.
The threats to the security of organizations are endless. There are phishing emails, uneven security software updates across a network, and leaked login information, to name a few.
Lessons and Best Practices
That security/resiliency combination can be implemented with certain best practices, all of which can be tied together with lessons learned from Colonial Pipeline.
Make Cybersecurity a Priority
For months before this event, including in the final 30 days before, Colonial Pipeline was searching for a cybersecurity manager. It’s not a revenue-producing center in most businesses so there will always be a budget limitation, but a limited budget cannot allow this area to be an afterthought, or something to invest in after something bad happens.
Be Forthcoming in the Case of an Attack
Because Colonial Pipeline did not give all the details of what had happened to the public, the public acted in the absence of information and we saw people filling up trash bags with gasoline in a panic. When an attack has already happened, part of your recovery plan has to include disclosure to the public to prevent panicked actions from occurring.
Respond and Recover Rapidly
Most didn’t realize that as part of the process of paying the ransom demanded by the hackers, Colonial Pipeline needed to verify that the entity they were paying was not on the OFAC Sanction list.
The OFAC Sanction List
The Office of Foreign Assets Control (OFAC) is part of the Department of the Treasury and administers and enforces economic and trade sanctions based on US foreign policy and national security goals. Its targets are certain foreign countries, regimes, terrorists, international narcotics traffickers, those engaged in the proliferation of weapons of mass destruction, etc. If Colonial Pipeline had paid this ransom without verifying that the entity was not on the list, its day would have gone from bad to worse: it would have committed a federal crime in paying the ransom.
Colonial Pipeline managed to negotiate the price of the ransom down, involve the FBI (which would lead to them later recovering at least half of the ransom), and tried to verify whatever systems they did have were operational before agreeing to the deal.
By working quickly and involving authorities, Colonial Pipeline limited the damage as best it could and has now been given an expensive tutorial on how to improve in the future. We can learn its lessons without paying the ransom.
For more conversations and ideas around topics like this, visit Siemens-Energy.com