The Department of Homeland Security (DHS) this past month disclosed a disruptive cyberattack on a U.S. energy facility, raising new concerns about protections for energy providers.
The Cybersecurity and Infrastructure Security Agency (CISA), a division of DHS, said a ransomware attack hit a “natural gas compression facility,” leading to a two-day shutdown for the entire pipeline.
While the agency did not specify the name or location of the facility, an assessment by a cybersecurity firm linked the attack to an alert put out by the U.S. Coast Guard in December about a ransomware intrusion that affected camera and physical access control systems and disrupted the entire corporate IT network at the facility.
But the revelation was more notable for the simple fact that agencies rarely acknowledge such attacks publicly.
Here’s what you need to know about cyberattacks targeting the energy industry.
Foreign actors are usually involved
Foreign entities often play a prominent role in cyberattacks on oil and gas pipelines, experts said.
“When you talk about cyberattacks and cyberattacks against the energy infrastructure, primarily you are looking at nation states like Russia, China, Iran,” said Caitlin Durkovich, who served as DHS assistant secretary for infrastructure protection during the Obama administration. “They may come at it with different motives, but certainly they have built up a significant capability.”
A report from the Office of the Director of National Intelligence last year said China has the ability to conduct cyberattacks on U.S. natural gas pipelines.
Chris Bronk, an assistant professor at the University of Houston’s college of technology, said the economic impact of a successful attack can be crippling.
“Shutting down someone’s pipeline can be an enormous destruction of their economic activity,” he said, noting that such attacks aren’t limited to open conflicts between adversaries.
But Durkovich also said that down the line it’s not unreasonable to see domestic groups playing a role as well. She said ecoterrorism could become an issue for pipeline security as cyberattack tools become increasingly available.
Various reporting rules make it difficult to estimate the number of attacks
It’s difficult to track how often cyberattacks occur because companies often have different reporting requirements.
“The pipeline sector is not required to report every attack or every incident,” Durkovich said. “You’re not going to find a complete picture.”
“Companies didn’t necessarily report what happened, and if they did report what happened to say, the FBI, the FBI would just classify it,” Bronk said.
Durkovich said that when companies do report attacks to the government, they often do so for different reasons, from needing assistance to wanting to alert others in the industry.
Mike Isper, director of security, reliability and resilience at the Interstate Natural Gas Association of America, added that some companies might not report cyber issues because they don’t want to draw attention to a vulnerability in their system.
Critical infrastructure is coming under increasing attack
A recent report from the Government Accountability Office said cyber threats to U.S. critical infrastructure like the energy sector are increasing, and pipelines aren’t the only part of the industry facing cyber threats.
“There is a cyber scenario for every conceivable type of power generation,” Bronk said, while noting that cyberattacks can have varying impacts depending on the target. “I’m most concerned about things that can go kaboom.”
“The whole power supply system is rife with problems and probably the most significant one…is nuclear reactors,” he added.
Durkovich said that one of the biggest trends she has seen is an increase in asymmetric attacks, meaning one country may be attacking another to a greater extent and using different methods.
And she said that attacks on the industry aren’t likely to abate anytime soon.
“This is not a threat that will ever be fully mitigated. It raises the importance of why the sector itself needs to continue to mitigate the consequences,” she said.
Government has a role to play
DHS often issues cybersecurity alerts to energy companies.
“CISA provides some real nice cyber vulnerability alerts almost on a daily basis,” he said. “They push that out for people to mitigate and act on,” he said.
On Capitol Hill, a new bipartisan bill seeks to incentivize utilities to invest in cybersecurity technology and participate in threat information-sharing programs. The legislation, backed by Sens. Lisa MurkowskiLisa Ann MurkowskiSchumer urges GOP to oppose Trump’s intel pick Overnight Energy: Murkowski, Manchin unveil major energy bill | Lawmakers grill EPA chief over push to slash agency’s budget | GOP lawmaker accuses Trump officials of ‘playing politics’ over Yucca Mountain Murkowski, Manchin introduce major energy legislation MORE (R-Alaska) and Joe ManchinJoseph (Joe) ManchinOvernight Energy: Murkowski, Manchin unveil major energy bill | Lawmakers grill EPA chief over push to slash agency’s budget | GOP lawmaker accuses Trump officials of ‘playing politics’ over Yucca Mountain Murkowski, Manchin introduce major energy legislation The Hill’s Morning Report – Sanders takes incoming during intense SC debate MORE (D-W.Va.) would also require agencies to help develop cybersecurity technology and conduct tests to identify vulnerabilities in the energy sector.
Durkovich said that when faced with cyber threats, there needs to be more collaboration between government and industry.
“There needs to be more significant investment and incentive for owners and operators of infrastructure to continue to harden and develop resiliency in this complex threat environment,” she said.