Risk of Russian cyberattack on U.S. energy infrastructure

Risk of Russian cyberattack on U.S. energy infrastructure

While the threat of a cyberattack on U.S. energy infrastructure existed before the invasion of Ukraine, the crisis has heightened concerns that Russia could take such action in retaliation for U.S. support for Ukraine. In this Q&A, Amy Myers Jaffe and Richard Nephew from Columbia University Global Energy Policy Center Check out this outlook and how energy companies might respond.

Is the Ukraine Crisis More Likely for a Cyber ​​Attack on the U.S. Energy System?

The U.S. government has warned private industry that its “evolving intelligence” suggests Russia is considering a cyberattack on the United States. Russia has aggressively targeted energy-related systems. In an indictment released last week, the Justice Department said Russian agents had been targeting more than 3,300 people working in the energy industry between 2014 and 2017. The US Nuclear Regulatory Commission is one of the targeted groups. Toby Rice, chief executive of U.S. natural gas producer EQT, has said there has been a “significant increase” in cyberattacks against his company since the breach. Facing a military standoff and tightening sanctions, Russia has grown increasingly frustrated that it may attempt a destructive attack.

Is there a specific threat to the energy industry? What risks might a serious cyber attack pose?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert last week detailing what infrastructure owners should do to prepare communications to mitigate the specific cyberthreats that exist, many of which are energy-targeted.

Just weeks before Russia invaded Ukraine, a U.S. security firm uncovered attempts by hackers to compromise several major gas suppliers and exporters, including LNG exporters Cheniere Energy Inc. and Kinder Morgan. Detecting and eliminating hacking attempts before they cause any major operational issues demonstrates the importance of proper system monitoring. However, it is unclear whether these were the only major attacks installed or the only major attacks detected.U.S. energy infrastructure is certainly a high-value target for Moscow, and more important overall turmoil The energy market and the benefits Russia could gain by further disrupting the energy market.

The May 2021 ransomware attack on Colonial Pipeline highlighted the risks to critical infrastructure. Long before the attack, hackers used employee profiles and passwords circulating on the dark web to gain access to the company’s information technology systems. Colonial’s virtual private network (VPN) system lacked multi-factor authentication, and the company didn’t have a process in place to close expired, inactive VPN accounts. Without adequate, continuous monitoring of Colonial’s digital systems, the hackers remained inside the system for over a week in preparation for a major operation.

The Colonial Pipeline hack highlights the inherent risks that must be mitigated in digital operations and how to analyze interconnectivity beyond the fenced lines of energy infrastructure operations. The interconnection between the pipeline’s operational sensors and customer custody transfer, shared remote metering, storage operations, and ultimately customer billing operations creates a risk that extends beyond Colonial’s data systems to its customers and throughout the U.S. East Coast data system – which means the campaign could have been longer in duration and larger in scale. The company failed to segment its systems for easier identification, response and recovery, increasing service recovery time. It also lacks a way to bypass its digital system and do some things manually.

Around the same time, cyber intrusions hit municipalities and other entities near Cushing, Oklahoma, a major U.S. crude oil storage hub, potentially testing entry points to critical infrastructure.

Additionally, while the Colonial Pipeline incident resulted in a temporary loss of fuel supply, a cyber intrusion into security, electrical, or pressure monitoring systems could lead to major infrastructure incidents, such as explosions or toxic leaks. In this case, companies should focus on understanding the risks of software security control systems. In 2017, an analysis of failed cyberattacks on Saudi petrochemical plants indicated that the intended goal of the attack was to compromise the security controls that control the plant’s voltage, heat and pressure, potentially triggering an explosion. Such safety controllers exist in most critical energy infrastructures, including oil refineries, petrochemical plants, and nuclear power plants.

What can the energy industry do to minimize the impact of a severe cyberattack on the U.S. energy system?

In 2017, a malware attack on the software systems of Dutch shipping company AP Moller-Maersk crippled its business, which accounts for about one-fifth of global freight trade. However, a coincidental outage in Lagos, Nigeria allowed the company to retrieve nearly all of its online data backups from hardware that was out of power in Nigeria. It took the company nine days to restore Active Directory, which anchored its global computerized operations. The malware attack also damaged 50,000 of Maersk’s laptops and disabled its VoIP phone network, causing operational disruption and substantial replacement costs.

The event increased understanding of best practice cyber hygiene and highlighted the importance of financial investment in it. It has also prompted many energy companies to create real-time backups of their data, where the data is disconnected from the internet so hackers cannot access it. Since hackers don’t have access to backup data, they can’t be compromised, so in the event of a cyber-attack, these backup data can be readily used in the recovery process without ransomware charges. Offline backup is now considered essential for all networks. It also highlights the importance of response and recovery planning to cyber defense. The plan should include coordinated leadership, external technical assistance, government reporting, and a chain of command to test and restore the system using backup data. Denied access to data in its computer systems, Maersk had to use ground personnel to manually check containers for time-sensitive cargo such as medical supplies. This highlights the need for companies to develop operational plans for manual solutions that can bypass broken software systems and computers.

How is the U.S. Federal Government Responding to the Threat of Energy Cyber ​​Attacks?

While more could be done to push federal, state, and local authorities to improve preparedness for emergencies, Congress recently passed a cybersecurity law that requires critical infrastructure entities to report major incidents to CISA within 72 hours and Report ransomware payments to CISA within 24 hours. The law also gives CISA subpoena powers to deal with entities that fail to report properly and authorizes the creation of an early warning program for emerging vulnerabilities. The DHS Transportation Security Administration also has reporting requirements for designated pipeline and transportation operators. These measures areshieldedAn initiative already implemented by CISA that provides information and advises companies on cybersecurity.

Do U.S. Anti-Cyber ​​Attack Capabilities Constitute Deterrence?

It’s unclear. In March, a Kremlin spokesman described economic sanctions on Russia as an “economic war” against the country orchestrated by the United States and warned that Russia would take “necessary measures” to defend its interests. The question of how Moscow will consider a corresponding response to the effectiveness of Western sanctions in hurting Russia’s banking or energy sectors is becoming increasingly relevant.

The United States also has the ability to launch retaliatory cyberattacks on Russian infrastructure, which Moscow must take into account. Both Russia and the United States have penetrated each other’s energy networks, and Russia has been known to shut down parts of Ukraine’s power grid in the past. In addition, the United States can interpret a highly destructive attack as an act of war and respond with commensurate severity.

this article is originally published Columbia University Center for Global Energy Policy. Read more of their coverage of the Ukraine crisis.