While many might associate cybersecurity with passwords or data breaches, events of recent years—most notably the Colonial Pipeline ransomware attack—have now made cybersecurity a common topic of conversation. What many people don’t see is that it’s not just our current energy grid and legacy energy systems that are at risk for cybersecurity attacks: the clean energy systems and smart devices of the future connected to that new grid are even more susceptible to attack, as they will be far more digitally connected than our current legacy systems.

That’s why we recently sat down with Randy Bell of the Atlantic Council to get a better sense of the state of play when it comes to cybersecurity and energy. One of the first items he referenced was the Colonial Pipeline attack.

In May 2021, Georgia-based Colonial Pipeline suffered a ransomware cyberattack. Colonial’s cybersecurity measures halted all pipeline operations in order to contain the attack. This pipeline system originates in Houston and carries gasoline and jet fuel from Texas all the way to New Jersey.

The ransom requested was 75 bitcoin (BTC) which was worth approximately $4.4M at the time. Colonial paid this ransom within several hours and was then given a software application to restore the network, but the network did not initially operate at regular speed. Because Colonial kept a lot of information guarded, panic buying and shortages occurred.

This was the largest cyberattack on an oil infrastructure target in the history of the US.

That security/resiliency combination can be implemented with certain best practices, all of which can be tied together with lessons learned from Colonial Pipeline.

For months before this event, including in the final 30 days before, Colonial Pipeline was searching for a cybersecurity manager. It’s not a revenue-producing center in most businesses so there will always be a budget limitation, but a limited budget cannot allow this area to be an afterthought, or something to invest in after something bad happens.

Because Colonial Pipeline did not give all the details of what had happened to the public, the public acted in the absence of information and we saw people filling up trash bags with gasoline in a panic. When an attack has already happened, part of your recovery plan has to include disclosure to the public to prevent panicked actions from occurring.

Most didn’t realize that as part of the process of paying the ransom demanded by the hackers, Colonial Pipeline needed to verify that the entity they were paying was not on the OFAC Sanction list.

The OFAC Sanction List

The Office of Foreign Assets Control (OFAC) is part of the Department of the Treasury and administers and enforces economic and trade sanctions based on US foreign policy and national security goals. Its targets are certain foreign countries, regimes, terrorists, international narcotics traffickers, those engaged in the proliferation of weapons of mass destruction, etc. If Colonial Pipeline had paid this ransom without verifying that the entity was not on the list, its day would have gone from bad to worse: it would have committed a federal crime in paying the ransom.

Colonial Pipeline managed to negotiate the price of the ransom down, involve the FBI (which would lead to them later recovering at least half of the ransom), and tried to verify whatever systems they did have were operational before agreeing to the deal.

By working quickly and involving authorities, Colonial Pipeline limited the damage as best it could and has now been given an expensive tutorial on how to improve in the future. We can learn its lessons without paying the ransom.

. 

For more conversations and ideas around topics like this, visit Siemens-Energy.com