On May 7, 2021, the Colonial Pipeline, one of the major suppliers of gasoline and jet fuel from Texas to the East coast of the U.S., suffered a ransomware attack. The attackers demanded a payment of almost $5 million to have their data, some of which had been exfiltrated, and their backups which had been encrypted, restored.
With the information available to them at the time, the company decided to shut down the systems used to operate their pipeline, effectively shutting down their operations, in order to avoid any risk to public safety, resulting in fuel shortages across the Eastern United States.
The reality of cyberthreats
At the recent CEPA Foundation Quality Summit, we heard from D’Arcy Moynaugh, cyber security partner at Deloitte Canada, about the threat of cyberattacks, and the importance of cybersecurity for pipelines and indeed all industries.
Moynaugh estimates that there has been a 400 per cent increase in cyberattacks, predominantly ransomware, across all levels of industry, since the beginning of COVID.
“Data, and the systems that move data around and control our companies, are now a fact of life,” said Moynaugh. “Most of the things that we’ve automated or we’ve turned over to larger systems can’t be done manually anymore because we no longer have the manpower or the skillsets in-house.”
Automation has huge benefits from time- and cost-savings, to consistency and a reduction in, or the elimination of, human error. But what it also does is leave companies dependent on systems that their employees might not fully understand.
In the case of Colonial Pipelines, it was their billing system, rather than operational technology, that was compromised. But because they were unsure to what degree their IT (information technology) system was integrated with their OT (operating technology), they could not be 100 per cent confident that public safety was not at risk. So, they made the difficult decision to close the pipeline.
How pipeline operators are responding to the risk of cyberthreats
Long before the Colonial Pipeline incident pipeline companies were aware of the risks and have been proactively working with law enforcement agencies at all levels to help protect against the threat.
One of the recommendations many companies hear from their own people is that IT and OT systems should be segmented, but the reality is that those systems have become increasingly integrated for good reasons. Integrated data is more organized, accessible and easier to share and there is less room for error when employees don’t have to search multiple databases for information. Moynaugh cautions that segmenting them should not be undertaken without a thorough analysis of the pros and cons.
Another important question that companies are asking is about the ecosystems involved in the process of going from well to market. When vendors and contractors are involved in a process, what are the agreements in place, and the level of access they have? Preventing successful cyberattacks on pipeline infrastructure isn’t just the responsibility of pipeline operators, the entire supply chain needs to ensure they are protecting their systems.
The evolving board of directors
As the threat of cyberattacks becomes more of a reality, company boards are starting to ask deeper, more searching questions about security and back-ups, and to demand that their Chief Information Security Officer (CISO) has the answers, or access to them.
Moynaugh said that more companies are reaching out and inviting cybersecurity experts to sit on their board, and already about seven per cent of boards include a cybersecurity expert, or have access to a resource.
Accountability
So how do we ensure pipeline operators are taking appropriate measures to protect infrastructure? In the U.S., for example, the Transportation Security Administration has created a new set of requirements. Operators and their supporting IT departments are responsible for showing how they are meeting these regulatory requirements. This becomes an increasing focus in the event of an incident, when IT personnel will be responsible for proving they had been meeting or exceeding those requirements.
That responsibility now lands to a greater extent with the Chief Information Security Officer (CISO). In the event of a ransomware or other cyber attack, the CISO must be prepared to go in front of government bodies, regulatory bodies and law enforcement agencies to explain their company’s security practices; how they affect the operations of the company and what overall effect the cyberattack event is having on the company.
“In order to function safely amid the threat of cyberattack, companies are realizing that there are key security capabilities that they must have in place,” said Moynaugh. “Those capabilities are becoming an important feature on the board of directors and within the workplace.”
In upcoming blog posts we will feature some of the other informative presentations from our 2021 Quality Summit.
