IOC Experts on the Energy Transfer Partners Attack

There are a number of oil and gas pipelines across the United States. Pipeline leakage is one of the biggest public concerns, and it’s something that happens from time to time. But those of us who don’t work in the industry can forget that there are also sophisticated computer systems behind those pipelines. Cyberattacks to those computer systems can be very costly indeed.

On Monday, April 2nd, a cyberattack against the computer system behind an Energy Transfer Partners’ natural gas pipeline forced the company to temporarily shut it down. After 6pm Eastern Standard Time that day, the computer system was back online.

EDI is the computing system used by Energy Transfer Partners that was attacked. ETP’s competitors, Tallgrass Energy Partners and Kinder Morgan, also use EDI systems, but they were unaffected by this cyberattack. EDI stands for “electronic data interchange,” and the system enables companies like ETP to engage in computer-to-computer document exchanges with customers.

Incident Response

ETP and their vendor Latitude Technologies were able to restore the EDI system on the evening of the day the attack was discovered. Latitude Technologies said, “While we believe things to be fully restored, we will continue to monitor for gaps in functionality.” A spokesperson for ETP said, “It was on a third-party service provider that a number of energy companies use, including us. Our operations were not impacted by their breach. We were back online with them (Monday) evening.”

A Cyberwarfare Risk

As of this writing, most of the details about the type of cyberattack Energy Transfer Partners faced and the attack methodology aren’t publicly known. We also don’t know who or what was behind the attack. But there is reason to be concerned about cyberwarfare from foreign military entities putting America’s industrial infrastructure at risk.

The Department of Homeland Security (DHS) has noted this particular incident: 

“We are aware of the reports and are gathering further information, as is standard practice whenever we become aware of a potential cyber intrusion affecting the critical infrastructure community,” said press secretary for DHS’s National Protection and Programs Directorate Scott McConnell. “In order to ensure robust information sharing between private sector partners and DHS, the department does not disclose information shared with us for cybersecurity purposes.”

In March, the FBI and the DHS released a Technical Alert about a possible Russian cyberwarfare risk to American infrastructure:

“Since at least March 2016, Russian government cyber actors—hereafter referred to as ‘threat actors’—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Analysis by DHS and FBI resulted in the identification of distinct indicators and behaviors related to this activity.”

The American energy sector, which features the oil and gas industry, was mentioned in the Technical Alert several times.

Here’s What IOC Experts Have to Say

I asked a few industrial cybersecurity experts for their thoughts about the cyberattack that Energy Transfer Partners faced. Chris Blask, Global Director of Stealth GTM for Unisys, stated:

“It is good to see an incident successfully resolved with an acceptable business impact. When best practices are implemented to include defining the current requirements for successful business operations, it is possible to maintain operations even under persistent attack. Companies that can deploy and maintain best practices well will have a larger impact in their respective industries.

The continuing modernization of infrastructure is driving exciting changes that create critical business advantages. Industrial enterprises that improve profitability and customer service levels while reducing downtime and costs through the adoption of advanced digital systems will ultimately be competitively successful. New and increased cybersecurity risks will arise along with these changes, but operators who proactively plan for these attacks and mitigate them before deployment will have greater success in their transition.

Having worked with industrial and other enterprises on maturing their protective practices for decades, Unisys sees this trend towards integrating security decisions into business processes becoming much more common.”

Kate Vajda is a Senior Security Consultant with Secure Ideas. She says:

“The Russian attacks are something that utilities have known about for at least two years. From what I understand they have been unsuccessful. As an FYI, one of the major gas pipeline concerns is that gas gets cut from homes, not like flooding or anything. The cost alone of sending trucks out for workers to relight pilot lights in people's homes is a huge deficit, worse than the lack of gas.”

Concinnity Risks founder Éireann Leverett said:

“Attacks on such engineering firms will continue and it would be wise to increase defenses accordingly. In particular, these companies should focus on having in house incident response teams, and if that is insufficient for their risk profile they can look to the nascent cyber insurance market for risk transfer options in the case of catastrophic physical damage.  Attacks always get worse, and they often get cheaper for attackers while becoming more expensive for society at large. We will know the real value of our energy infrastructure if we are unlucky enough to lose it.”

Security researcher Johnny Xmas added:

“While even a complete shutdown of the EDI system itself in no way affects the security of the physical pipeline or its security controls, the potential of leaked information that could lead to such situations could be very high.  Without knowing more details behind the attack, we aren't going to be able to speculate on loss or incident response in any sort of useful manner.”

Conclusion

It’s a relief that the cyberattack on Energy Transfer Partners seemed to do little harm. Nonetheless, this incident could be the canary in the coal mine. There’s a lot of work to be done to better security harden industrial control systems (ICS) and the other types of computer systems behind our public utilities and oil companies. They’re amongst the most attractive targets to attackers, and other sorts of attacks upon them could put many human lives at risk.

It’s imperative for the private and public sectors to combine their efforts to keep their delicate digital infrastructure secure from the growing international cyberwarfare threat.