Security

A Future of Smart Building Cyberattacks in the Pipeline?

On May 7th 2021, the Colonial Pipeline Company announced it was the victim of ransomware cyberattacks that forced it to disable the largest petroleum pipeline in the US. The Colonial Pipeline carries 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on an almost  9,000 km route from Houston, Texas, to Linden, New Jersey, representing around 45% of the nation’s East Coast supply. Once the story hit the news, residents of the Northeast US flocked to gas stations causing fuel shortages that spread panic across the region.  “It’s more likely that fuel shortages will be a result of panic buying from consumers watching the headlines unfold, as opposed to shortages directly caused by the attack,” Marty Edwards, VP of operational technology security for Tenable, told Vox-Recode. “This is something we saw with Covid and grocery stores selling out of household items. Regardless, it shows the impact cybersecurity has on our everyday […]

Stay ahead of the pack

with the latest independent smart building research and thought leadership.

Have an account? Login

Subscribe Now for just $200 per year per user (just $17 USD per month) for Access to Quality Independent Smart Building Research & Analysis!

What Exactly Do you Get?

  • Access to Website Articles and Notes. Unlimited Access to the Library of over 1,700 Articles Spanning 10 Years.
  • 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
  • Industry-leading Analysis Every Week, Direct to your Inbox.
  • AND Cancel at any time
Subscribe Now

On May 7th 2021, the Colonial Pipeline Company announced it was the victim of ransomware cyberattacks that forced it to disable the largest petroleum pipeline in the US. The Colonial Pipeline carries 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on an almost  9,000 km route from Houston, Texas, to Linden, New Jersey, representing around 45% of the nation’s East Coast supply. Once the story hit the news, residents of the Northeast US flocked to gas stations causing fuel shortages that spread panic across the region. 

“It’s more likely that fuel shortages will be a result of panic buying from consumers watching the headlines unfold, as opposed to shortages directly caused by the attack,” Marty Edwards, VP of operational technology security for Tenable, told Vox-Recode. “This is something we saw with Covid and grocery stores selling out of household items. Regardless, it shows the impact cybersecurity has on our everyday lives.”

As the details of the attack gradually emerged over the last months, several aspects have raised concern in the commercial buildings sector and their own cyberattacks threat. Perhaps the most important point was just how easy the attacks were able to get access to the critical systems. The hackers, an independent group called Darkside, breached the system through a leaked password to an old and unused account that had access to the virtual private network (VPN), which was set up to allow staff remote access to the company’s servers. This will raise concern for many office buildings that have recently set up or expanded remote access to their networks.

According to Bloomberg, the account in question didn’t have multi-factor authentication, so the hackers only required a username and a password to gain access to the largest petroleum pipeline. From there, it appears that the group only gained access to the company’s IT infrastructure, rather than petroleum operations themselves, but that was enough to force the closure of the pipeline over fear of bigger issues. The firm’s IT department found no way to overcome the malware that had infected the system, even after requesting support from the federal government, leaving supply disrupted and spiraling losses.

“This attack has exposed just how poor our resilience is,” said Kiersten E. Todt, the managing director of the nonprofit Cyber Readiness Institute. “We are overthinking the threat, when we’re still not doing the bare basics to secure our critical infrastructure.”

“Every fragility was exposed,” Dmitri Alperovitch, a co-founder of CrowdStrike, a cybersecurity firm, and now chairman of the think tank Silverado Policy Accelerator. “We learned a lot about what could go wrong. Unfortunately, so did our adversaries.”

The firm eventually paid the $4.4 million ransom, in Bitcoin, to receive a decryption tool from the hackers so it could unlock the compromised systems, but it still took several days to bring the pipeline back online. So, despite the resources of the firm and the support of the government, no solution was found and the only way to restore the critical pipeline was to pay the ransom or continue to lose hundreds of thousands of dollars per day. All kinds of corporations could be vulnerable to the same kinds of cyberattacks, and each could be held to ransom for an amount determined by their losses from the disruption, and they could face the same fate as the colonial pipeline.

"I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible. I believe with all my heart it was the right choice to make… but I want to respect those who see this issue differently," Joseph Blount, President and chief executive of the Colonial Pipeline said. "What a lot of people don't realize is it takes months and months… even years to restore your systems. We often take a look at our defenses, and even though we felt comfortable historically… this threat grows every day and the sophistication of this threat grows every day.”

While the Department of Justice (DOJ) has since recovered 63.7 of the Bitcoin, worth $2.3m, the event was a shock to the US energy system and a wakeup call for all those responsible for security against cyberattacks. Many companies may highlight the critical nature of the Colonial Pipeline as a reason for being targeted and paying the ransom but with the rise of smart buildings, critical infrastructure is increasingly exposed. Every new connected device essentially creates a new attack point, so companies must now ensure that every connected door, sensor, printer, or coffee machine is secure, or risk their entire network of information, assets, and people.

Hackers can use unsecured IoT devices to gain network access, where they can access confidential company or customer information and threaten to use or expose it in terrible ways. Furthermore, they can use those connected security systems to lock people in or out of the building. They can change the temperature or trigger sprinklers to torment occupants or damage assets. They can essentially hold a building’s information, physical assets, or occupants hostage then demand a ransom based on the value of that loss to the company, thereby forcing the payment. This may sound crazy but some people are morally capable, especially given anonymity, as vulnerabilities increase more people become technically capable, and as smart systems expand, so do the range of tools at the hacker’s disposal.

“It’s all fun and games when we are stealing each other’s money,” said Sue Gordon, a former principal deputy director of national intelligence, and a longtime C.I.A. analyst with a specialty in cyberattacks. “When we are messing with a society’s ability to operate, we can’t tolerate it.”

Most Popular Articles

Kieback&Peter Cube Berlin
Energy

Kieback&Peter Building Automation Business & Financials Examined

In this Research Note, we examine Kieback&Peter, one of the long-established German manufacturers and systems integrators of building automation solutions and services. This analysis is based on their December 2023 filing of their 2022 company accounts and more recent announcements. Kieback&Peter GmbH & Co. KG was founded in 1927 in Berlin, Germany. This family-owned medium-sized […]

Alibaba Smart Buildings
Smart Buildings

“Open Sesame” Exploring Alibaba’s Smart Building Approach

Initially launched in 1999 as an online marketplace for Chinese-made products, The Alibaba Group has gone on to become one of the biggest companies in the world with a market cap of over $210 billion. While online retail remains Alibaba’s core service offering, the firm has expanded into a huge range of activities, including comprehensive […]

Allegion 2023 Financials Examined
Security

Allegion Access Control Business & Financials 2023 Examined

In this Research Note, we examine Allegion plc, a pure-play provider of security and access solutions. Our analysis is based on their 2023 annual results, presentation, earnings call and 10K Report. We highlight growth in electronic security products, software and corporate venture capital investments in 2023. Note that we reviewed Allegion’s May 2023 Investor Day […]

Subscribe to the Newsletter & get all our Articles & Research Delivered Straight to your Inbox.

Please enter a valid email

Please enter your name

Please enter company name

By signing up you agree to our privacy policy