Big industrial networks, including the Colonial Pipeline, which has been down for three days following a cyberbreach, fill vital everyday needs such as gasoline, clean water and electricity. Yet these often-aging physical systems are frequently less protected against hackers than corporate information technology networks.
“It’s really a challenge when you have old infrastructure,” said Padraic O’Reilly, co-founder of CyberSaint Security, “because the security tends to be snap-on, ad hoc, reactive, etc.”
Hackers — potentially Russian cybercriminals, according to the FBI — breached the operations of the Colonial Pipeline, which delivers gasoline and diesel to the eastern United States. Operators shut down the line for safety, and if it stays down for a week or more, prices could spike at the pump, analysts fear.
Even though pipelines and power lines serve the public good, companies with shareholders and quarterly earnings run them. They decide how much — or how little — to protect them against digital bad guys.
“They have business objectives to meet, so it’s difficult to justify upgrades on equipment that is running,” said Adam Bixler, global head of third-party cyber risk management at security firm BlueVoyant.
That’s the reality, even though hackers have taken down parts of the power grid in Ukraine, broke into a water-treatment plant in Florida and ruined nuclear centrifuges in Iran.
With Colonial Pipeline, it’s not clear whether the hackers took control of the physical systems, but many analysts say cyberthreat actors have demonstrated they can infiltrate information technology systems and then migrate into physical, operational technology networks.
“I think it’s an open secret that governments around the world have an ‘in’ into other people’s internet systems as well as their major infrastructure,” said Cynthia Quarterman, a former top U.S. pipeline regulator.
The Joe Biden administration plans new cyber rules for agencies and contractors involved in critical infrastructure.
But at the Colorado School of Mines, policy professor Morgan Bazilian said unless rules have teeth and bring…