The largest gasoline and diesel pipeline on the US east coast was forced to shut down on May 8, after its owner, Colonial Pipeline, was hit with a cyberattack by unknown hackers who demanded a ransom. By May 10, the pipeline remained closed; so far, the disruption has had a minimal impact on gas prices in the region, although that could change if the closure persists for several more days.
Still, the attack underscores something that cybersecurity experts have long warned of: Energy infrastructure, which is pivotal to the economy but is often old and relies on antiquated technology, is a sitting duck for hackers, especially those seeking payment. Energy companies are under enormous pressure to maintain service—price shocks and fuel shortages that could result from an extended outage of the Colonial pipeline, for example, could snarl air and commercial traffic across the country.
Energy companies hit with a ransomware attack may have little choice but to pay up unless they have a cybersecurity plan in advance that allows them to restart their network without permission from the hackers, said Andrew Howard, CEO Kudelski Security, a cybersecurity firm that works with energy companies. The details of this attack remain under investigation, but Howard said the hackers most likely entered the company’s network through its computer systems and gained some kind of leverage over its physical operations—valves and other pipeline hardware that are connected via the internet to the company’s central computer network. It’s possible that the hackers didn’t target the company specifically, and that the hack occurred after an employee clicked a malicious link that was also sent to many other companies. But energy companies are well-known as a potentially lucrative target for hackers, Howard said.
“Energy infrastructure is a prime target for ransomware because [hackers] have a clear-cut way to monetize the attack,” he said. “These systems are old, they tend to be difficult to fix, and historically they were never built with security in mind.”
Colonial has not disclosed the size of ransom the hackers are demanding, and did not respond to an inquiry about whether it intends to pay. But Howard said that hackers most often demand a sum their target could realistically afford to pay. And indeed, ransomware attacks on energy companies stand a decent chance of paying off, according to a survey published April 27 by the cybersecurity firm Sophos. Out of 5,400 global companies surveyed by the firm, about 37% reported that they suffered a ransomware attack in 2020, with an average ransom of $170,404. More than a third of energy-sector companies, about 200 in total, reported being hit; of these, 43% said they paid the requested ransom, the highest share of any sector.
Perhaps for that reason, energy companies are increasingly coming into the sights of hackers. According to a February IBM analysis, energy companies were the third most targeted sector for cyberattacks, after finance and manufacturing. For any company, updating and securing computer systems is fairly straight-forward and routine, Howard said. But protecting internet-connected physical infrastructure remains costly and tedious, he said.
“The unfortunate truth,” said Dan Schiappa, chief product officer at Sophos, “is that infrastructure today is so vulnerable that just about anyone who wants to get in can get in.”