The Risk of Russian Cyberattacks on US Energy Infrastructure
Although threats of cyberattacks on U.S. energy infrastructure existed prior to the invasion of Ukraine, the crisis has heightened concern that Russia could pursue such action to retaliate against the United States for its support of Ukraine. In this Q&A, Amy Myers Jaffe and Richard Nephew from Columbia’s Center on Global Energy Policy examine this prospect and how energy companies might respond.
Does the Ukraine crisis make a cyberattack against U.S. energy systems more likely?
The U.S. government has warned private industry that it has “evolving intelligence” that Russia is considering cyberattacks against the United States. Russia has already been active in targeting energy-related systems. In an indictment issued last week, the U.S. Justice Department said Russian agents persistently targeted more than 3,300 people working in the energy industry between 2014 and 2017. The U.S. Nuclear Regulatory Commission was among the organizations targeted. Toby Rice, chief executive officer of the U.S. natural gas producer EQT, has said that cyberattacks targeting his firm have “gone up significantly” since the invasion. As Russia becomes increasingly frustrated in the face of a military stalemate and tightening sanctions, it could attempt a disruptive attack.
Does the energy industry face specific threats? What risks might emerge from a serious cyberattack?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert last week detailing what infrastructure owners should do to prepare communications to mitigate against specific cyber threats that exist, many of which target energy.
Just weeks before Russia’s invasion of Ukraine, a U.S.-based security firm identified an attempted intrusion by hackers into multiple major natural gas suppliers and exporters, including the liquefied natural gas export players Cheniere Energy Inc. and Kinder Morgan. That the attempted hacks were discovered and eliminated before they caused any major operational problems points to the importance of proper systems monitoring. However, it is unclear whether these were the only significant attacks mounted or the only significant attacks detected. U.S. energy infrastructure is certainly a high-value target for Moscow, made more important by the overall turmoil in the energy market and benefits Russia could accrue through further disruptions to it.
The ransomware attack on Colonial Pipeline in May 2021 highlights the risks to critical infrastructure. Hackers entered the company’s information technology systems using employee profiles and passwords circulating on the dark web long before the attack. Colonial’s virtual private network (VPN) system lacked multifactor authentication and the company did not have proper processes to close down defunct, non-active VPN accounts. In the absence of sufficient, continuous monitoring of Colonial’s digital systems, the hackers stayed inside the systems for over a week, allowing them to prepare a major operation.
The Colonial Pipeline hack underscored the inherent risks that must be mitigated in digitizing operations and how interconnectivity must be analyzed beyond the fence line of energy infrastructure operations. The interconnectedness of the pipeline’s operational sensors with customer custody transfers, shared remote metering, storage operations, and eventually customer billing operations created a risk that extended beyond Colonial’s data systems to those of its customers along with the entire US East Coast—meaning the duration of the event could have been longer and its scale wider. The company had failed to segment its systems to allow for easier identification, response, and recovery, increasing time to service restoration. It also lacked a way to bypass its digital system and conduct some operations manually.
Around the same time, cyber intrusions hit municipalities and other entities near the main U.S. crude oil storage hub of Cushing, Oklahoma, potentially testing for entry points to critical infrastructure.
Further, whereas the Colonial Pipeline event led to a temporary loss of access to fuel supplies, a cyber intrusion into safety, electrical, or pressure monitoring systems could lead to a major infrastructure accident such as an explosion or toxic release. In this case, companies should focus on understanding the risks to software safety control systems. In 2017, analysis of a failed cyberattack on a Saudi petrochemical plant raised the possibility that the intended goal of the attack was to sabotage safety controllers that regulate voltage, heat, and pressure at the plant—potentially to trigger an explosion. Such safety controllers are found in most critical energy infrastructure, including refineries, petrochemical plants, and nuclear power stations.
What could the energy industry be doing to minimize the impact of a serious cyberattack on energy systems in the United States?
In 2017, malware attacks on the software system of the Dutch shipping company A.P. Moller-Maersk crippled its operations, which account for about one-fifth of all global cargo trade. However, a coincidental power cutoff in Lagos, Nigeria allowed the company to retrieve almost all of its online data backups from the hardware that was powered down in Nigeria. It took the firm nine days to restore the Active Directory that anchored its worldwide computerized operations. The malware attack also damaged Maersk’s 50,000 laptops and disabled its network of VoIP phones, resulting in operational disruptions and substantial replacement costs.
The event improved the understanding of best practice cyber hygiene and underscored the importance of investing in it financially. It also spurred many energy companies to establish real-time backup of data where the data is disconnected from the internet and thereby remains inaccessible to hackers. Because hackers cannot reach the backup data and therefore it cannot be compromised, this backup data is readily available for the recovery processes in the event of a cyberattack and ransomware does not need to be paid. Offline backups are now viewed as critical for all networks. It also highlighted the importance of response and recovery planning to cyber defense. Plans should include a chain of command for coordination leadership, external technical assistance, government reporting, and testing and restoration of systems using backup data. Denied access to data in its computer system, Maersk had to utilize on the ground staff to check containers manually for time sensitive cargo like medical supplies. This highlights the point that companies need to have an operational plan for manual solutions that can bypass damaged software systems and computers.
How has the U.S. federal government reacted to the energy cyberattack threat?
Although more could be done to propel federal, state, and local authorities to improve preparedness for contingencies, the U.S. Congress recently passed a cybersecurity law requiring critical infrastructure entities to report material incidents within 72 hours and ransomware payments within 24 hours to CISA. The law also gave CISA subpoena power to use against entities that fail to report properly and the mandate to create an early warning program focused on new and emerging vulnerabilities. The Department of Homeland Security Transportation Security Administration has also imposed reporting requirements for designated pipelines and transportation operators. These measures are additional to the “Shields Up” initiative that CISA already has in place, which provides information on cyber security and makes recommendations to firms.
Do U.S. capabilities for a counter cyberattack constitute a deterrent effect?
It is unclear. In March, a Kremlin spokesman characterized economic sanctions against Russia as a U.S.-orchestrated “economic war” on the country and warned that Russia would do “what is necessary” to defend its interests. To the extent that Western sanctions are effective in harming Russia’s banking or energy sector, the question of what Moscow would consider a proportional response becomes increasingly pertinent.
The United States also has capabilities to launch a retaliatory cyberattack of its own on Russian infrastructure, which Moscow will have to take into account. Russia and the United States have each penetrated the other’s energy grids, and Russia famously shut off parts of the Ukrainian grid in the past. Moreover, the United States could interpret a highly disruptive attack as an act of war and respond with proportionate severity.
This post was originally published by Columbia University’s Center on Global Energy policy. Read more of their coverage of the crisis in Ukraine.