Cyber Threats - Lessons From The Colonial Pipeline Event
The 2021 Colonial Pipeline event perfectly demonstrates that poor cyber security has real-world implications.
The Colonial Pipeline is the largest feed of refined oil products in the U.S., carrying three million barrels daily from Texas to New York. In May 2021, a ransomware attack led to a five-day shutdown. The result was panic buying, potential social unrest and President Biden declaring a national emergency.
This event throws up essential lessons about the threat posed to civil aviation by cyber attacks. Most notable is the observation that human behaviour is a significant risk factor rather than technology per se. Hence, assessing risks in a structured manner, mitigating consequences and not inflaming the situation by overreacting must form part of any structured response.
To understand all this, it is helpful to break down the sequence of the cyber attack. The hackers exploited weak security in the company's billing system, specifically a legacy system with a single password access point. This legacy system remained in place because no one opted to remove it.
And while the ransomware attack started on 7 May, the attackers entered the system days earlier to conduct a reconnaissance. Monitoring systems failed to detect this activity.
In response to the attack, the company closed down the pipeline control system, fearing this may be compromised. This decision caused the shortages. It is important to stress that the cyber attack didn't curtail the oil flow; instead, the company acted to trigger the shutdown. The pipeline systems remained unharmed and functional.
The shutdown's impact was almost immediate, with filling stations and airports running low on fuel. Panic buying spread. In Washington, DC, 87 per cent of filling stations ran out of fuel.
Within hours of the attack, the company paid a ransom in Bitcoin to get a 'key' to unlock their systems. Yet, this 'key' proved slow to act, with the company's response plan unlocking the IT systems and restoring full service on 12 May. Investigators later recovered most of the ransom.
Several vital lessons came to light from this event. The hackers didn't intend to shut down the pipeline. Instead, the company closed the pipeline because they couldn't be sure the system was safe. These steps suggest a lack of trust in IT systems that created a ripple effect, amplifying the consequences.
There is some speculation that decision-makers feared the attack on the billing system could spill over into the systems operating the pipeline. Perhaps with a better understanding of the system integration, the misstep of shutting down the whole system could have been avoided.
So what’s to be done? As we are all emitters and collect information, our behaviour helps mitigate risks. The following steps could help prevent or blunt a cyber attack.
Practice cyber hygiene. Clean and remove sensitive material from computers, mobile phones and other data storage devices.
Don't share material on unauthorised emails or systems.
Conduct a walk-through of your computer and phone settings to minimise your exposure to tracking and who has access to your material.
Keep software updated.
Change passwords at regular intervals.
We can't drop modern technology - we must live with the systems we've created while being aware of the risks. And, of course, interoperability across IT systems offers efficiencies. And yet, it also creates challenges.
Thus, it is helpful to observe that the mindset that drove changes in aviation security in response to the terrorist threat can also work here. We can summarise these steps as follows:-
Assess the threats, internal and external.
Set Priorities; identify your critical systems that may need ring-fencing;
Put in place layered security as a standard component.
Develop responses: proactive and reactive.
Set recommended practices and standards to gain uniformity across the aviation world.
Measure success and adapt.
Re-assess constantly and be agile.
In support of this, Red Teaming plays a role in exposing risks. The teams don't need to consist of only IT experts. In truth, having a cross-section of people who can identify the possible attack modes is optimal.
Leading on from these activities, we may isolate mission-critical elements, such as the ATC IT systems, by minimising integration with other systems. Since 2017, ICAO has put in place a framework that assesses the threat to our cyber systems, guides policy and lays down an approach to tackling the challenges.
Never forget that cyber security breaches carry various consequences for the aviation industry. Besides any immediate costs in ransom paid, companies can spend millions seeking to repair and recover systems. And on top of that, there are significant impacts on reputation.
Finally, we shouldn't let the word 'cyber' intimidate us. You don't need a computing, coding and data science background to recognise the challenges.