Pipeline cyberattack exposes energy infrastructure vulnerabilities

Jeff Moulton

Though the Colonial Pipeline that supplies fuel to nearly half the East Coast is back up and running again after a five-day shutdown caused by a May 7 cyberattack, local security experts say the incident should serve as a reminder of just how vulnerable the nation’s energy infrastructure is.

Jeff Moulton, executive director of LSU’s Stephenson National Center for Security Research and Training, says cyberattacks are far more common than most people realize and are likely to intensify in the future.

“This happens every day and most of the time you don’t hear about it,” Moulton says. “But it’s going on everywhere and it’s getting worse.”

One of the reasons cyberattacks are becoming more common—particularly in plants, refineries and other energy infrastructure facilities—is because OT, or operational technology systems, are increasingly linked to IT systems, which makes them easier to attack.

“It used to be that your OT systems—your heat pumps and valves and mechanical equipment—were separate from the IT systems that control networks, payroll, HR, day-to-day stuff,” he says. “Now, they’re linked, which makes things more cost effective, but it also becomes hackable.”

Moulton cannot say with certainty whether that dynamic is responsible for the attack on the Colonial Pipeline, which, at 5,500 miles long is the largest gasoline pipeline in the U.S. But he says as more systems and “smart devices” are linked together inside plants and refineries, companies, and homes, these attacks will proliferate.

The Stephenson Center works with clients, including industry and government, to help them prepare for and recover from such attacks. Moulton says it’s important that businesses of any size take precautions.

Have an incident response plan in place so that if and when an attack occurs, your organization will know what to do and who to call.

Back up your data every day and keep it separate from your other system.

Practice good cyber hygiene, making sure you have the latest and greatest software and that your employees are well trained in scams, phishing attempts and the dangers of clicking on links.

Finally, when you are attacked, make sure to communicate with those you have relationships with.

“Remember, your best security is only as strong as your weakest link,” he says.