With the announcement that the Colonial Pipeline will reopen soon, the short-term effect of the Colonial cyberattack on gasoline, diesel, jet fuel, and other refined petroleum product prices is likely to be mildly escalatory and short-lived, but it exposes the soft underbelly of the nation’s critical energy infrastructure.
Thousands of pipeline companies operate close to three million miles of oil and gas pipelines crisscrossing the United States. Each of those companies—regardless of its size—is individually responsible for its own pipeline’s cybersecurity. If a company of the size and with the resources of Colonial, which operates the nation’s largest refined products pipeline in the United States, can be paralyzed, even for a few days, imagine what could happen if a smaller company, with fewer resources allocated for cybersecurity, were attacked. In that circumstance, an environmental, explosive, or economic catastrophe might not be averted.
These same cyber threats exist with respect to electric, water, and other national critical infrastructure. Luckily, the United States has been able to avoid any major cyber disaster, such as the one earlier this year that could have resulted in the release of large quantities of lye in a water treatment facility in Florida shortly before the Super Bowl. If not for an eagle-eyed employee who noticed the errant movement of a computer cursor, a disaster might have occurred. The United States cannot rely on luck alone to address this issue.
The Department of Homeland Security’s Transportation Security Administration and Cybersecurity and Infrastructure Security Agency coordinate cybersecurity issues and advise on risk with privately owned pipeline companies, but their task is daunting and grossly underfunded.
The Biden-Harris administration has moved swiftly by issuing the Department of Transportation’s emergency declaration to ensure that petroleum products can be transported by trucks to markets with fewer regulatory hurdles. That declaration should cushion gasoline and other fuel prices for a while, but the administration still faces the real challenge: how to prevent this or something far worse. This is quite a conundrum that requires focused thinking and immediate attention to shed light on a path forward.
The problem is dire, and its solution is elusive. No defense is impregnable; every Maginot Line will be breached. But, in the area of safeguarding the nation’s essential pipeline and energy infrastructure, there is often no organized fortification effort. There are only the fragmented and isolated cyber fortresses of thousands of operators, all of whom are more or less left to their own devices.
And, it gets even worse. The prescription for such tragedies of commons is usually to let the government intervene. But in this case, there is no clear solution, no clearly articulated vision of what the government would do if it took over, and no understanding of what a Maginot cyber line—still vulnerable, but better than close to nothing— would look like.
That is especially true since the US government agencies themselves—indeed all government agencies—face their own cybersecurity challenges.
On the domestic front, such a vision must be formulated by experts who know at least as much as malicious hackers about the ins and outs of the information and operational technology systems being used to protect and control critical infrastructure. Every country is vulnerable to cyber threats to varying degrees. As much as humanity inhabits this small Earth, it also inhabits a much smaller Internet, with a network of connected devices ranging from co-generational facilities to pipelines. Collective insecurity should motivate collective action in defense of this most vital infrastructure.
Cynthia Quarterman is a Distinguished Fellow the Atlantic Council Global Energy Center and the former Administrator of the US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA).