For more than two years before the Colonial petroleum pipeline shutdown on Friday, US officials repeatedly warned major pipelines that they were increasingly vulnerable to hackers as they moved their operations online.
As recently as February 2020, US cyber security officials warned of an attack on an unnamed natural gas compression facility that mirrored some of the problems faced by Colonial.
In that case, hackers broke into the back-office network and moved into its operations control system, locking up computers on both sides and leaving staff unable to see data from the facility, which had to be shut down.
Officials warned at the time that pipelines should keep their back office separate from their operations. It was useful advice for Colonial Pipeline, whose 5,500 miles of pipes supply half the fuel used by the US east coast.
But on Monday, the White House confirmed that a similar scenario had played out at Colonial, forcing it to shut itself down to ensure that hackers “could not migrate from business computer systems to those that control and operate the pipeline”.
Sujeet Shenoi, professor of computer science at the University of Tulsa and a former nuclear engineer, said that hackers often found the easiest people to attack were in the back office, and that some critical infrastructure companies now had a three-strike rule for employees who breached cyber security procedures.
He added that infrastructure companies had moved quickly to digitise their operations, but had not fully woken up to the scale of the risk of connecting their corporate IT systems to their operational control systems. “This is like a 9/11 and more. Critical infrastructure groups are not ready to respond.”
The Department of Homeland Security set up the Pipeline Cybersecurity Initiative in October 2018 to try to protect more than 2.7m miles of oil and gas pipelines from attack as their owners started to connect them to the internet so that they could monitor operations remotely.
Like its peers, Colonial Pipeline has spent years transforming itself from a traditional utility into a data-driven, digital company. Major pipelines increasingly rely on computers to monitor flows and…