On May 7th 2021, the Colonial Pipeline Company announced it was the victim of ransomware cyberattacks that forced it to disable the largest petroleum pipeline in the US. The Colonial Pipeline carries 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on an almost 9,000 km route from Houston, Texas, to Linden, New Jersey, representing around 45% of the nation’s East Coast supply. Once the story hit the news, residents of the Northeast US flocked to gas stations causing fuel shortages that spread panic across the region.
“It’s more likely that fuel shortages will be a result of panic buying from consumers watching the headlines unfold, as opposed to shortages directly caused by the attack,” Marty Edwards, VP of operational technology security for Tenable, told Vox-Recode. “This is something we saw with Covid and grocery stores selling out of household items. Regardless, it shows the impact cybersecurity has on our everyday lives.”
As the details of the attack gradually emerged over the last months, several aspects have raised concern in the commercial buildings sector and their own cyberattacks threat. Perhaps the most important point was just how easy the attacks were able to get access to the critical systems. The hackers, an independent group called Darkside, breached the system through a leaked password to an old and unused account that had access to the virtual private network (VPN), which was set up to allow staff remote access to the company’s servers. This will raise concern for many office buildings that have recently set up or expanded remote access to their networks.
According to Bloomberg, the account in question didn’t have multi-factor authentication, so the hackers only required a username and a password to gain access to the largest petroleum pipeline. From there, it appears that the group only gained access to the company’s IT infrastructure, rather than petroleum operations themselves, but that was enough to force the closure of the pipeline over fear of bigger issues. The firm’s IT department found no way to overcome the malware that had infected the system, even after requesting support from the federal government, leaving supply disrupted and spiraling losses.
“This attack has exposed just how poor our resilience is,” said Kiersten E. Todt, the managing director of the nonprofit Cyber Readiness Institute. “We are overthinking the threat, when we’re still not doing the bare basics to secure our critical infrastructure.”
“Every fragility was exposed,” Dmitri Alperovitch, a co-founder of CrowdStrike, a cybersecurity firm, and now chairman of the think tank Silverado Policy Accelerator. “We learned a lot about what could go wrong. Unfortunately, so did our adversaries.”
The firm eventually paid the $4.4 million ransom, in Bitcoin, to receive a decryption tool from the hackers so it could unlock the compromised systems, but it still took several days to bring the pipeline back online. So, despite the resources of the firm and the support of the government, no solution was found and the only way to restore the critical pipeline was to pay the ransom or continue to lose hundreds of thousands of dollars per day. All kinds of corporations could be vulnerable to the same kinds of cyberattacks, and each could be held to ransom for an amount determined by their losses from the disruption, and they could face the same fate as the colonial pipeline.
"I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible. I believe with all my heart it was the right choice to make… but I want to respect those who see this issue differently," Joseph Blount, President and chief executive of the Colonial Pipeline said. "What a lot of people don't realize is it takes months and months… even years to restore your systems. We often take a look at our defenses, and even though we felt comfortable historically… this threat grows every day and the sophistication of this threat grows every day.”
While the Department of Justice (DOJ) has since recovered 63.7 of the Bitcoin, worth $2.3m, the event was a shock to the US energy system and a wakeup call for all those responsible for security against cyberattacks. Many companies may highlight the critical nature of the Colonial Pipeline as a reason for being targeted and paying the ransom but with the rise of smart buildings, critical infrastructure is increasingly exposed. Every new connected device essentially creates a new attack point, so companies must now ensure that every connected door, sensor, printer, or coffee machine is secure, or risk their entire network of information, assets, and people.
Hackers can use unsecured IoT devices to gain network access, where they can access confidential company or customer information and threaten to use or expose it in terrible ways. Furthermore, they can use those connected security systems to lock people in or out of the building. They can change the temperature or trigger sprinklers to torment occupants or damage assets. They can essentially hold a building’s information, physical assets, or occupants hostage then demand a ransom based on the value of that loss to the company, thereby forcing the payment. This may sound crazy but some people are morally capable, especially given anonymity, as vulnerabilities increase more people become technically capable, and as smart systems expand, so do the range of tools at the hacker’s disposal.
“It’s all fun and games when we are stealing each other’s money,” said Sue Gordon, a former principal deputy director of national intelligence, and a longtime C.I.A. analyst with a specialty in cyberattacks. “When we are messing with a society’s ability to operate, we can’t tolerate it.”