By Gregory Hale
Gas is still flowing – and never stopped – but at least three of the four companies operating pipelines admitted they were hit by a cyberattack this week on their electronic systems for communicating with their customers.
Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said Tuesday it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyberattack.”
A day earlier, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns. Eastern Shore said its outage occurred on March 29.
The Department of Homeland Security said Monday it was gathering information about the attacks had no immediate comment.
“We do not believe any customer data was compromised,” said the Latitude Technologies unit of Energy Services Group, which Energy Transfer and Eastern Shore both identified as their third-party provider, in a Bloomberg report. “We are investigating the re-establishment of this data,” Latitude said in a message to customers.
Just the Facts
“Cyber attacks can range from denial-of-service, malware, Insider threat, etc. The problem is that there is no specific given to the type of attack that occurred at the pipeline infrastructure,” said Dewan Chowdhury, chief executive and founder of security provider, MalCrawler. “Right now, everybody is speculative except for the companies involved and law enforcement agencies. I can tell you that based on experience from conducting cybersecurity assessment on downstream natural gas operators is that the connection between them and their upstream supplier is not very secure.”
“Based on what I have read, this looks like a fairly traditional attack. I have seen no evidence of deliberate targeting of the pipeline control systems,” said Eric Cosman, security expert and consultant with ARC Advisory Group.
“The common thread here is that the affected companies used a third-party EDI provider and relied on that service,” said John Cusimano, director of cybersecurity at aeSolutions. “It is not uncommon in the energy industry that energy distribution companies (e.g. pipelines, utilities, etc.) rely on third-party data for their logistics planning (where energy needs to go, how much, when, etc.).
“The main takeaway from this event is that there definitely are people/organizations that are attempting to disrupt U.S. energy distribution using cyber means. The second takeaway is that all companies, but especially U.S. energy companies, need to risk assess (or re-assess) the cybersecurity of ‘external information resources’ (ref NIST Cybersecurity Framework ID.AM-4),” Cusimano said.
“This wasn’t an attack on the control systems,” said Patrick McBride, vice president at network monitoring provider, Claroty. “Time will tell, it could have been financially motivated ransomware attacks. It doesn’t smell like it was a state-sponsored attack.”
“I think that it’s important to make clear that this was not a control system, but rather an Internet-exposed non-real-time data exchange system mandated by FERC to facilitate transparency in the common carrier gas pipeline business,” said Graham Speake, chief information security officer at Berkana Resources. “The actual control systems were not impacted and demonstrate the need to ensure a secure barrier between the control systems and business networks. As companies continue to strive to get more information from their sensors and networks to perform analytics, often resorting to cloud based solutions, there needs to be an increased awareness of the security implications. This needs to involve not just technical countermeasures, but also continual security awareness training to all personnel.”
“A majority of the time it’s just a simple RTU to RTU using MODBUS that interconnects the downstream natural gas provider to their natural gas transmission provider,” Chowdhury said. “There’s hardly any rule sets that protect both networks. The SCADA communication between both entities is pretty limited regarding what functions they can use for ICS/SCADA purposes. In the power regulated network, you will find technologies that limit the communication flows between industrial control equipment. You can find firewalls that limit SCADA protocol functions (e.g., they are limited just to read, not write), you can also find technology such as data diodes that only allow one-way network traffic. Technology like this is hardly utilized in the connection between downstream natural gas providers and their transmission partners.
“We always recommend to put in security controls that limit what can be communicated between both sides. It can range from a firewall that supports industrial control system protocols that can restrict by SCADA functions. The good thing is that due to interoperability the protocol stack typically utilized between downstream and transmission partners is MODBUS which is widely supported on firewalls. To go beyond the recommended is to implement technologies like data diodes that restrict traffic from going bi-directional, and forcing it to be one way,” Chowdhury said.
“We have discovered in several of our assessments that the interconnect to third party data providers are not well secured and are also not well documented or understood by asset owners,” Cusimano said. “For example, we recently assessed a large cogen facility for one of our refining clients. The cogen facility is required to share data with their state’s independent system operator (ISO). This was accomplished using a special server that was dual-homed between the cogen process control network and the ISO through a broadband connection. There was no firewall on the incoming broadband connection. The server was running an end-of-life operating system and hadn’t been patched since it was installed. There was a firewall between the dual-homed server and the process control network but the firewall rules were very promiscuous. The dual-homed server was installed and maintained by a local company that specialized in energy management and regulatory compliance solutions. As such, the local cogen staff and management knew very little about the server and didn’t even have login credentials (yet it was considered their asset and it was and on their network). This is why it is so important to perform detailed vulnerability and risk assessments performed by third-party assessors who will ask the right questions.”
“Critical infrastructure facilities should be on high alert that they are directly in the cross-hairs of bad actors and nation states,” said Bob Noel, director of strategic relationships at Plixer. “Legacy security approaches that have only focused on the perimeter have failed. Breaches are inevitable, so organizations must turn their focus to monitoring internal traffic and its behavior to protect themselves and the people who rely on their services.”
The electronic systems help pipeline customers communicate their needs with operators, using a computer-to-computer exchange of documents. Energy Transfer said the electronic data interchange system provided by Latitude was back up and working Monday night. The business wasn’t otherwise affected, said spokeswoman Vicki Granado.
Eastern Shore Natural Gas’s Latitude system was restored on Monday as well, the company said in a notice to customers. In addition to providing Electronic Data Interchange (EDI) services, Latitude also hosts websites used by about 50 pipelines for posting notices to customers.
Look at Big Picture
It would be easy to say this was just an attack against a business network and everyone can breathe easier, but as McBride said this could have been a pivot point into a bigger and stronger type of assault.
“The broader issues is while it was not an attack on one specific gas company, it was an attack on a third party,” McBride said. “This is a reminder that cyber attacks can cause disruptions on the business side, which means all firms are subject to those attacks. They need to be vigilant, not only on the SCADA side, but also on the supporting business system. Third parties can be weak links.”
“A major problem within this industry is the lack of cybersecurity funding to secure the infrastructure,” Chowdhury said. “Unfortunately, incidents like these rattle the industry to come up with cyber-security plans to secure their environment from the worst case scenario. Groups like The American Gas Association have been working with operators to help improve the overall cybersecurity postures by implementing industry best practice. Let ‘s hope that organizations like this continue their good work, and downstream natural gas operators put the money to invest in cybersecurity.”