Pipeline Cyberattack Highlights Fragile infrastructure

How do I avoid being next?

Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on print

What do you need to do to protect yourself? 

On May 8, 2021, Colonial Pipeline announced that it was the victim of a ransomware attack.  According to the statement, Colonial’s response to the breach shut down all pipeline operations.  Colonial is responsible for 45% of fuel consumed on the East Coast.

While this security incident is grabbing headlines, it is far from the worst case scenario.  We should consider it another wake-up call in a long line of them.

Infrastructure Cybersecurity

Companies responsible for infrastructure typically run at least two types of networks.  The first is a standard network for business operations, such as customer service, billing, and the like.  The other is a supervisory control and data acquisition (SCADA) network, which is responsible for the actual infrastructure.

SCADA security has been a concern for years.  In 2009, someone used vulnerabilities in Sieman computer systems to cause physical damage to Iran’s nuclear program.  The Department of Homeland Security’s critical infrastructure work focuses in large part on SCADA systems.

Unfortunately, the desire for more functions has led to closer ties between SCADA systems and other network infrastructure.  These functions include remote administration, data gathering, and financial tasks.  In fact, as local utilities across the country have decreased staff, the need for remote administration has increased.  This increase led to a dangerous attack on a water treatment plant in Florida earlier this year.  Luckily, a worker saw the intrusion and was able to stop the attack before the attacker was able to add dangerous levels of sodium hydroxide to the water supply.

Other infrastructure attacks have led to extensive damage.  For instance, intruders were able to damage a blast furnace in Germany through remote access.  As more of these systems are connected to external networks, more attacks will occur. Inevitably, they will lead to someone dying as a result of a cyberattack. 

What Comes Next?

President Biden’s infrastructure bill was already subject to widespread criticism for its lack of cybersecurity funding.  We expect that to change.  We also anticipate Executive Orders addressing infrastructure security.  Congress was already considering mandatory breach and vulnerability reporting, and it will likely move faster. 

This breach highlights the need for resiliency in networks of all types.  Colonial Pipeline had to shut down its pipeline operations to mitigate a ransomware attack.  Incident response plans should integrate with disaster recovery/business continuity plans, all of which should be tested at least annually.  Sensitive systems and data should be segmented, but network testing should assume that the segmentation will fail. 

If your organization does not have a disaster recovery/business continuity plan, you are assuming an enormous amount of risk.  A ransomware attack on your network may not cut off 40% of the oil to the east coast, but it could be enough to critically damage your organization.   

If you are unsure if you have adequate security or need help testing your incident response or disaster recovery/business continuity plans, you should contact us for assistance.   


About the Author

Brandon Graves is a Partner at Centre Law & Consulting focusing on cybersecurity practices. He helps clients manage everything from crises related to security breaches, regulatory investigations, and disputes, to helping companies operate more securely in their normal course of business. Recently, Brandon assisted companies develop information security programs, prepare for certifications under the DoD’s Cybersecurity Maturity Model, and manage their supply chain risk. Learn more

Interested in Connecting with our Legal Practice about Cybersecurity and Privacy?

Explore More Insights

DOD Issues New Proposed Rule on Enhanced Debriefings

You may have been aware that the Department of Defense was providing enhanced debriefings as part of its procurement process via a Class Deviation announced in 2018. DOD now seeks to make that rule permanent and has published a proposed rule to amend the Defense Federal Acquisition Regulation (DFAR) to continue to provide enhanced post-award debriefing under negotiated contracts, and task and delivery orders that exceed $10 Million.

Read More »
Executive Order

Biden’s Cybersecurity Order and You

On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity (EO). Driven in part by recent cyberattacks on network tools, enterprise software, and critical infrastructure, the EO implements (or attempts to implement; more on that later) a veritable wish-list of cybersecurity provisions.

Read More »
Receive the latest news

Subscribe To Our Newsletter

All Rights Reserved © 2020