The ransomware attack on Colonial Pipeline: The largest successful cyberattack on energy infrastructure in US history illustrates interdependency vulnerabilities
Cyber vulnerability is exacerbated for today’s extensive multi-corporate and cross-sector interdependencies.
For example, the recent, successful ransomware attack on the Colonial Pipeline corporation shut down most supplies of gasoline and jet fuel to the US Southeast, resulting in disrupted flight schedules from multiple airports, and extensive fuel shortages at filling stations that led to panic buying (e.g., nearly 90% of Washington DC’s filling stations were shut down). Similar and growing interdependencies across all lifeline infrastructures and their supply chains have led to serious concerns, and aggressive efforts to further expand cybersecurity.
The pervasive and covert nature of this threat has dramatically affected the architecture of security protocols in the United States and allied governments. In the US, for example, during the 20th Century, the traditional security framework of the military-industrial complex was characterized by a clean division of responsibility, with private industry producing weapons and services for the Federal government, and the nation’s armed forces providing security for the nation. Now, utilities are attacked many thousands of times every day by cyber weapons, and are ultimately responsible to their customers and shareholders for securing their own systems and operations against such threats.
To help meet this challenge, government agencies in many nations have partnered with utilities to create mechanisms for information sharing and security collaboration, a process which spans both central and regional governments. In the United States, state-governors who have the primary responsibility for the public health and safety of their citizens now recognize the need to directly address security concerns stemming from cyber-threats.
The Cyber Threat to Electric Infrastructure
Cybersecurity is a critical requirement for electric infrastructure, a reality that is addressed very seriously by both energy corporations and government agencies in the US and partner nations around the world.
As cyber-attacks become more frequent and varied, energy systems are increasingly being targeted. An extended power outage caused by a successful large scale cyber-attack on a nation’s bulk power system or critical suppliers could cause unprecedented power outages. If accompanied by distributed hardware and software damage, or if covering very large geographic footprints, such outages could put societal continuity at risk. The functioning of hospitals, municipal water systems, food, pharmaceutical, transportation, financial and other infrastructures essential to sustaining lives could be seriously jeopardized.
A key, central concern, for both the electric grid and other lifeline infrastructures, is that confidence in assuring the security of such infrastructures against a determined, carefully planned cyber or ransomware attack on systems critical to national grid continuity is far less than 100%. As a result, it is now broadly accepted that the risk of a consequent multi-region, long duration power outage, associated with widely distributed grid IT, OT and critical hardware damage, is significant.
“Post-event” cybersecurity may be essential for societal continuity
Expanding cybersecurity concerns have brought some leading corporations to begin adapting their “grid restart” planning (black start and restoration). These corporations are utilizing emerging “minimum grid” and related restoration planning to ensure societally vital lifeline infrastructure facilities can be reenergized quickly enough to sustain the communities that depend upon them. At the same time, given the scale of modern interdependencies, the success of such efforts will also depend on broad availability of tools and capabilities essential for multi-corporate communication, situational awareness and emergency power continuity in such events1.
1For more information on such tools and capabilities, see resources for “BSX,” “GINOM” and “Emergency Power Assurance” elsewhere on this website.
An IEMI device creates an electromagnetic pulse, potentially far higher in magnitude than EMP, though over very short ranges. Use of such devices on multiple, critical elements of critical infrastructures could create Black Sky Hazard level impacts.