Colonial’s muted response to cyberattack will not keep US energy grid safe
Companies and governments should do a better job of securing infrastructure to avoid an unmanageable disaster
Visit Colonial Pipeline’s corporate website and you’ll learn that the Alpharetta, Georgia, energy company is “committed to EXCELLENCE” and that “safety, environmental stewardship, and first-class customer service” drive its operating philosophy.
What you won’t find — unless you navigate to the bottom of the home page and click on “News & Media” — is any mention that the company that operates the largest refined fuels pipeline in the US was brought to its knees by computer hackers on Friday. That is understandable, because it is likely that Colonial still does not completely understand what hit it.
In a brief statement on Saturday, Colonial said it learnt the previous day that hackers were trying to extort it using ransomware. In response, the company shut down its pipeline and some information technology systems and hired cybersleuths to sort out the damage. It offered more of the same on Sunday evening, while also disclosing that the US department of energy had joined a federal law enforcement investigation of the attack. Other than noting that its main lines were still closed, Colonial did not offer much clarity about when it would be back in business (which has left oil traders on edge and scrambling for alternatives).
Companies have their reasons for going mum when hacked, of course. They are worried about reputational damage. If publicly traded, they also fear possible negligence lawsuits from investors (Colonial is privately held). But in an era in which nation-states and roving freelancers alike have turned rival governments, corporations, schools and universities, hospitals, research labs, fire and police departments and other institutions into digital piñatas, hunkering down only perpetuates the problem.
Colonial may be making the rounds as I write, spilling the beans about its hack to competitors in the energy industry and to outside investigators. I don’t imagine it is, though. During a Senate intelligence committee hearing in February about the huge SolarWinds burglary orchestrated by Russian operatives, Microsoft’s president, Brad Smith, and other corporate insiders said one of their biggest frustrations in battling cyberattacks is that information is scattered among private and public stakeholders who do not freely share it with one another.
All of the bad reasons for holding on to information about a cyberattack — embarrassment, competitiveness, incompetence — only make it that much harder to prepare for and surmount the next one.
While the SolarWinds attack brought to the fore how sophisticated and aggressive countries such as Russia, China, North Korea and Iran are about waging cyber warfare, the Colonial intrusion did not, apparently, involve state actors. It was the handiwork of a cybercrime gang called DarkSide, according to Bloomberg News. Many of these freelancers, including other ransomware operatives such as REvil, Maze and Ragnar Locker, may be state-sponsored anyhow, making such distinctions irrelevant.
Even so, DarkSide — if it was simply acting as an independent grifter — still pulled off an attack that shuttered a pipeline system traversing about 8,850km, according to Colonial. The company says it provides 45% of all fuel that the East Coast consumes and supplies 50-million Americans and the US military with everything from petrol and jet fuel to home heating oil and diesel. The shutdown has a whiff of the apocalyptic about it, and is the stuff that gives national security experts nightmares.
It is also the kind of action the US has shied away from taking in response to state-sponsored attacks such as SolarWinds. Targeting transit lines and energy grids worries diplomats, the military and the national security community because it harms average citizens alongside corporate or government targets and can lead to escalations. Yet here we are. The Biden administration, under pressure in the wake of the SolarWinds attack to respond decisively to Russia, said it is examining the Colonial matter closely.
A group of five partnerships own Colonial: Colonial Partners, Colonial Pipeline, KKR-Keats Pipeline Investors, Koch Capital Investments Company and Shell Midstream Operating. How closely was their company monitoring its own systems?
Colonial has been shut down by hurricanes in the past, as well as what it has described as “integrity” issues in its pipeline network. The company also was responsible for a huge spill of at least 4.5-million litres of gas in a North Carolina nature preserve last year. This is the first time, apparently, that hackers have shuttered its operation. How well the company is managed will draw greater scrutiny in the coming days.
The hack is only the latest and most serious of many attacks directed at energy infrastructure worldwide. As my colleague Liam Denning observed, the vulnerability of all energy networks is one of the top-drawer issues of the 21st century. But that vulnerability extends to almost all facets of our public, private, business and social lives now, given how dependent we are on digital networks and on how they knit us together, globally.
Companies and the government should do a better job of insulating those networks by being transparent, communicative and proactive about threats. At some point, the wake-up calls will morph into unmanageable disasters.
Bloomberg Opinion. For more articles like this, please visit bloomberg.com/opinion
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.