author photo
By Bruce Sussman
Thu | May 13, 2021 | 1:43 PM PDT

Here is something you never want to hear about your company after a ransomware attack: "I mean, an eighth-grader could have hacked into that system."

Which company was this person speaking about? Colonial Pipeline.

The person speaking authored a $1.8 million information governance report for the company which uncovered "a patchwork of poorly connected and secured systems."

Is this what led to the successful ransomware attack against the company? The attack left millions of drivers in the eastern U.S., along with airlines and truckers, scrambling to find fuel.

And let's consider another key question. How much action did Colonial Pipeline take to shore up its vulnerabilities following the report?

We may never know. Unlike cybersecurity standards that electric providers must adhere to, there is no federal requirement around cybersecurity for America's pipeline operators.

Now, a powerful voice is calling for that to change.

Audit uncovers Colonial Pipeline cybersecurity problems

Robert Smallwood heads up the Institute for Information Governance at IMERGE Consulting. He and his team wrote the information governance report for Colonial Pipeline, and he did not hold back when the Associated Press asked him about it.

"We found glaring deficiencies and big problems," said Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. "I mean an eighth-grader could have hacked into that system."

So what has changed since then? Colonial Pipeline has made no claims about its cybersecurity in updates on the ransomware attack. However, it did tell the AP it has spent tens of millions of dollars improving its IT system since then.

"We are constantly assessing and improving our security practices—both physical and digital," the company says.

What, exactly, does that mean? We're not sure.

But we do know what kind of cybersecurity benchmarks pipeline operators are required to meet...or, not.

According to the chairman of the Federal Energy Regulatory Commission (FERC), the situation is unsettling, and now is the time to change it.

Energy chair: cybersecurity should be mandatory for pipelines

Richard Glick is chairman of the Federal Energy Regulatory Commission, which oversees things like the power grid and how power producers operate, including cybersecurity. 

He is now calling for mandatory cybersecurity requirements for pipeline operators across the United States. Here is his statement:

"The cyberattack against the Colonial Pipeline system, which provides nearly half of the fuel supply for the East Coast, is a stark reminder that we must do more to ensure the safety of our nation's energy infrastructure.

For over a decade, the Federal Energy Regulatory Commission (FERC), in coordination with the North American Electric Reliability Corporation, has established and enforced mandatory cybersecurity standards for the bulk electric system. However, there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States.

It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.

Therefore, I am pleased that Commissioner Clements is joining me today in my longstanding calls for mandatory cybersecurity standards for our nation’s pipeline infrastructure.” 

Will the Colonial Pipeline ransomware attack and its aftermath lead to regulatory changes around cybersecurity or ransomware? 

Stay tuned. This part of the story is still developing. 

Related podcast: the ransomware attack lifecycle

Comments