It’s been four days since the Colonial pipeline, a major gasoline artery in the U.S., shut down following a ransomware attack—and Americans are starting to feel the impacts. As the federal government scrambles to figure out how to transport gasoline across the country and shortages are beginning to hit gas stations in some states. It’s been such a mess that the hackers themselves have kind of apologized for the whole ordeal: DarkSide, the group responsible for the attack, issued a statement Monday explaining that “our goal is to make money and not creating problems for society.”
Yet the problems aren’t wholly DarkSide’s fault. This whole mess may have been entirely preventable if the government had been paying attention to its own responsibilities in helping pipelines prepare for cyberattacks.
While both political parties have raised increasing concerns about cyber attacks that can target the energy grid and other pieces of critical infrastructure, pipelines, specifically, are a hugely overlooked part of this equation. Federal pipeline cybersecurity guidance and oversight have been minimal at best. The government issues only voluntary cybersecurity guidelines for pipelines, even those like Colonial that affect millions of people every day. Even those voluntary guidelines have been such a non-priority, in fact, that no one seems to have been paying much attention to the issue at all for a decade or more in some cases.
The regulation of physical pipelines and their construction falls under the Pipeline and Hazardous Materials Safety Administration. But the digital security of pipelines is under the purview of the Transportation Safety Administration—the same agency whose agents pat you down at the airport. Yet as late as 2019, TSA employed only six staffers on its pipeline cybersecurity division, responsible for overseeing 2.7 million miles (4.4 million kilometers) of pipeline across the country.
Much of the original TSA best practices regulating pipeline cybersecurity were drafted shortly after 9/11—and many have been barely touched since then. The agency’s protocols outlining the roles of the different branches of the federal government in case of a pipeline security breach hasn’t been updated since 2010. Given how quickly the digital landscape of our lives has evolved in the past decade, let alone the sophistication of cyberattacks, the lack of attention is embarrassing.
Warnings about the cyber threats to pipelines have abounded. In 2018, Federal Energy Regulatory Commission members Neil Chatterjee (at the time, the chair of the commission) and Richard Glick wrote an op-ed for Axios detailing how unprepared the U.S. was for a cyberattack on a major pipeline. (Chatterjee retweeted the nearly 3-year-old op-ed on Saturday, suggesting that the landscape probably hasn’t changed since its publication.)
The Government Accountability Office put a fine point on some of those problems in 2019 when it took TSA to task and conducted a probe on its pipeline security protocols. In addition to the embarrassingly out-of-date documents, the GAO also found that the TSA’s plans didn’t “identify the cybersecurity roles and responsibilities of federal agencies that are identified in the plan, such as [Department of Energy], Federal Energy Regulatory Commission (FERC), or the FBI, or discuss the measures these agencies should take to prevent, respond to, or support pipeline operators following a cyber incident involving pipelines.”
Even with the GAO report in 2019, progress seems to have been slow on fortifying the country’s pipelines—and the loosey-goosey nature of what companies are mandated to do could be part of the reason. FedScoop reported in 2019 that following the GAO report, the industry was attempting to work with federal agencies on improving cybersecurity practices, but companies worried that sharing information could affect fuel prices on the market or make them targets to more attacks. Bill Caram, the executive director of the Pipeline Safety Trust, said in an email that “the lack of any kind of reporting requirement around these cyber security events” is “troubling.” He added that “we really have no idea how widespread they are.”
In 2020, an elaborate spearphishing campaign targeted natural gas facilities around the world, including some in the U.S., prompting the two-day shutdown of an unidentified pipeline network. It offered a rare insight into how attacks can play out. The Department of Homeland Security found the owner “did not specifically consider the risk posed by cyber attacks,” reflecting how lax oversight can leave companies unprepared.
It may take some time to figure out what exactly happened with the Colonial pipeline, and it’s not out of the question to think that the company could have been better equipped to face the attack.
“For Colonial itself, it will be seen whether they failed at the essential cyber hygiene (which means they were a rather easy target) or they did well in cybersecurity and the attackers had to use sophisticated methods for the attack,” Dirk Schrader, a vice president at security research at New Net Technologies, a provider of cybersecurity and compliance software, said in an emailed statement. “Based on known facts and insights, it rather seems that Colonial missed on the essentials. Some of the webservers in their infrastructure show old vulnerabilities. ... In addition, there is quite an amount of knowledge about the DarkSide ransomware family to be prepared for it.”
But the government’s complete lack of enforcement in cybersecurity is especially ironic to consider in light of the increasing panic over the physical security of pipelines More than a dozen states have passed bills over the past few years criminalizing anti-pipeline protests, doling out heavy punishments for vague offenses like trespassing or “tampering” with construction sites. These bills have often been influenced heavily by fossil fuel interests and have come in the wake of Indigenous-led protests against the Keystone XL and Dakota Access pipelines.
Meanwhile, massive fossil fuel pipelines have been operating for years with an OK from the federal government to do so with the digital security equivalent of having your email password set to “password.” Long-term those pipelines—and the oil and gas industry in general—do need to be wound down to address the climate crisis. But it might be time for the government—and the industry—to rearrange its priorities around what it considers “security” and what the real threats to fossil fuel infrastructure are.