The world is becoming increasingly dependent on computerized systems to keep everything running. These systems are vulnerable, however, and cyberattacks have been on the rise in recent years. How can we protect our energy infrastructure from these threats?
The how did covid change long-term energy demand and supply is a question about how cyberattacks and ransomware can affect the future of our energy infrastructure.
In May, a ransomware assault knocked down the country’s biggest fuel pipeline for six days, causing gasoline shortages in many Southeastern regions. In the aftermath, US authorities have tried to strengthen the defenses of an industry that has had less cybersecurity regulations than other vital infrastructure sectors for years.
The Transportation Security Administration, which has regulatory responsibility over pipeline cybersecurity, recently issued a rule requiring pipelines to disclose assaults to the Department of Homeland Security’s cybersecurity section as soon as possible. The Biden administration has also directed agencies to enhance their efforts to identify assaults and expand their relationships with private industry, and Congress is now considering numerous cybersecurity-related legislation.
Meanwhile, Joseph Blount, the CEO of Colonial Pipeline Co., which was the subject of the May assault, justified his choice to pay a $4.4 million ransom in bitcoin to the attackers, claiming he needed all the tools he could obtain to repair the 5,500-mile pipeline’s systems. For years, the Federal Bureau of Investigation has urged businesses not to pay ransomware, a kind of malware that holds computer systems hostage in exchange for payment, since it feeds a thriving criminal market. Last month, the Justice Department said that it had recovered approximately $2.3 million in bitcoin.
The attack on the Colonial Pipeline exposed the vulnerability of the country’s enormous energy infrastructure, sparking discussion on how the US and the oil and gas sector might better secure vital infrastructure from attacks.
Three experts in oil-and-gas cybersecurity talked with the Wall Street Journal about how businesses, regulators, and policymakers might improve the security of the country’s energy infrastructure. At Accenture Security, Jim Guinn is the worldwide managing director for cybersecurity in energy, chemicals, utilities, and mining. Suzanne Lemieux is a Canadian actress. works at the American Petroleum Institute as the manager of operations security and emergency response policy. Bronk, Chris is a University of Houston associate professor of computer information systems and information system security. The following are extracts from the discussion, which have been modified for clarity:
WSJ: How can businesses and the government strengthen the energy sector’s resilience against cyberattacks?
Suzanne Lemieux
WSJ photo
MS. LEMIEUX: Thank you. We need a better information-sharing system between government agencies and private businesses. There is a lot of information coming in right now that isn’t getting to the private-sector operators who need it to improve their systems’ defenses. TSA has issued a security guideline requiring incident reporting. We want to make sure that the government has a mechanism in place to anonymize and share that information with the private sector so that we can understand the present risks. Things take months to declassify. We need to enhance their ability to exchange information with the private sector.
BRONK, MR.: There has been a cyber intelligence craze, with a lot of focus on information exchange. The main problem, though, is persuading the intelligence community to share information. It’s difficult to declassify intelligence and quickly distribute it to organizations that lack the necessary processing capabilities. It isn’t going to get any easier. We waited months for Homeland Security to give us a completed evaluation after the Ukraine power-grid attack in 2015, and it was basically something that other clever people had put together long before.
Let us know what you think.
What do you believe the best way is to protect our energy infrastructure? Participate in the discussion below.
If a business wishes to defend itself, it will have to engage in a set of industrial-related activities. This needs to be the kind of event that an organization practices for on a regular basis.
WSJ: There is no North American Electric Reliability Corp., or NERC, for oil-and-gas pipelines. NERC supervises aspects of the utilities sector’s cybersecurity and imposes penalties on businesses that do not meet specific requirements. Should the US government establish a comparable agency to guarantee that oil and gas firms meet minimal requirements?
MS. LEMIEUX: Thank you. For a variety of reasons, the oil-and-gas business differs significantly from the electric industry. Antitrust concerns and competitive markets do not exist in the utilities sector, as they do in the oil and gas industry. In the oil and gas industry, there is a lengthy supply chain, a variety of business structures ranging from individual owner operators to integrated corporations, and a great deal of complexity that we believe is far more difficult to address with a single standard or rule. We don’t want to see a one-size-fits-all approach to this because it won’t work.
The Transportation Security Administration (TSA) does have regulatory responsibility over pipeline security. They have previously decided to do so via guidelines developed in collaboration with the industry. We’ve heard that the TSA will release a second directive, and that some of these instructions would come with penalties if they’re broken. There’s a common misunderstanding that operators won’t defend themselves from cyber attacks unless they’re forced to by authorities. This ignores the reality that businesses in every industry have a financial interest to safeguard their data and operations against harmful actors.
Chris Bronk
WSJ photo
BRONK, MR.: The TSA order isn’t a ground-breaking rule. It essentially states that you should consult with the federal government. When it comes to the big battle for cybersecurity capability in the federal government, TSA is at the bottom of the list. The issue is whether it will produce anything similar to NERC’s critical-infrastructure-protection strategy. Transportation Secretary Pete Buttigieg, who is focused on infrastructure revitalization, is in charge of this. There aren’t any teeth in that area. However, each of these events will enhance the capacity for rule-making and regulation.
Regulation has always been a source of great resentment in the business. The oil and gas business arose from the dissolution of Standard Oil. Government significantly altered the sector, and I believe this had a lasting impact on the culture of the firms that succeeded Standard Oil.
MR. GUINN: I’d want to thank you for your time. We must adhere to certain criteria in order to maintain the bare minimum of security protection. Everyone should have a starting point. If you can go above that, you should be rewarded for it rather than punished. You will be less successful if this becomes an audit exercise.
WSJ: What more can US agencies do to enhance energy cybersecurity policy?
Jim Guinn
WSJ photo
MR. GUINN: I’d want to thank you for your time. Wind, solar, oil and gas, refineries, pipelines, railways, and terminals are all dealt with by an integrated energy business. When you consider everything, how many different agencies would you have to deal with if you have a substantial situation? The Coast Guard, the Department of Energy, Homeland Security, the Pipeline and Hazardous Materials Safety Administration, and the Pipeline and Hazardous Materials Safety Administration are all involved. There are so many that it’s difficult to keep track of them all. Every dollar spent on coordinating across all of those entities is a dollar that might have been spent on making your organization more cyber resilient. I’d want to see a single organization that can assist the energy sector.
Why are ransomware assaults targeting the energy sector on the rise, according to the Wall Street Journal?
MR. GUINN: I’d want to thank you for your time. Because the ransoms are paid by a large number of organizations. According to our threat-intelligence team’s assessment on the energy sector, which includes everything other than utilities, there was a 42 percent rise in publicly reported ransomware attacks on energy firms from the entire year 2020 to the first five months of 2021. From January to May of last year, it increased from 19 to 27.
Energy is now the fourth most targeted industry, up from tenth last year. Attacks rise as a business begins to pay. Eight out of ten operational technology cybersecurity projects have been discontinued, curtailed, or delayed in the year after the pandemic began in March 2020. They understand the need of cyber resiliency. However, when commodity prices become so volatile, you must make a business judgment about what expenditure you can cut. That’s an ideal storm.
Spending on Defense
Top ten industries’ cybersecurity spending as a proportion of IT expenditures
Internet services and software publishing
Financial services and banking
Electronics/electronic equipment used in industry
State and municipal governments
Natural resources, construction, and materials
Internet services and software publishing
Financial services and banking
Electronics/electronic equipment used in industry
State and municipal governments
Natural resources, construction, and materials
WSJ: What is your opinion on whether businesses should pay ransoms or not?
BRONK, MR.: Many of these ransoms are a blip on the radar for businesses. It’s like the moment in Austin Powers when Dr. Evil declares, “We’re going to hold the globe hostage for $1 million,” and everyone thinks, “Wow, that’s not a lot of money.” The ransomers will go where the money is. And these kidnappers have become very professional. The result of paying the ransom and receiving the keys to release your belongings has improved significantly. Nonetheless, every ransom paid legitimizes this criminal economic activity.
MR. GUINN: I’d want to thank you for your time. When it comes to essential infrastructure, every company must decide whether or not they are willing to spend. When energy firms are asked whether they have a cyber incident response strategy, the majority of them say yes. But do you have a plan in place for what will make you pay? Do you have a strategy and business imperatives in place? The majority of people answer no. You don’t want to have to make that choice in the middle of a crisis. You’ll need to place it on a tabletop. You must put it to use. You should have an internal discussion about it. You must be able to establish your procedures in order to decide whether or not you will pay.
Mr. Eaton works as a correspondent for the Wall Street Journal in Houston. [email protected] is his email address.
All Rights Reserved. Copyright 2020 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8
The solar now is a technology that can be used to protect our energy infrastructure from cyberattacks and ransomware.
Related Tags
- renewable energy infrastructure
- colonial pipeline
- wsj cyber attack
- should i go solar now wsj
- wall street journal renewable energy