Several gas pipeline operators were forced to shut down computer communications with their customers over the last week after their systems were compromised by cybercriminals.
The attack appeared to have targeted Latitude Technologies, a unit of Energy Services Group, which handles the critical computer communications of gas storage facilities, as well as sales contracts and shipment scheduling.
"We do not believe any customer data was compromised," Latitude Technologies said in message to customers.. "We are investigating the re-establishment of this data."
The cyberattack fueled fear of more hostile activity to come as it highlighted just how vulnerable all gas pipelines are to cyberattack.
Cybersecurity experts say the nation’s infrastructure of oil, gas, and chemical pipelines -- which spreads across nearly 2.5 million miles of America -- is low-hanging fruit for hackers. If control systems are infiltrated by a third-party with malicious intent, the consequences would likely go beyond disrupted deliveries.
Andrew R. Lee, a cybersecurity expert at the law firm Jones Walker in New Orleans, told the New York Times the risks include “explosions, spills, or fires, which easily will threaten human life, property and the environment.”
Importance of adequate cyber-security defenses
Cybersecurity experts say the most recent attacks on gas pipelines underscore the importance of third-party risk management -- especially since this isn’t the first time U.S. pipelines have been targeted.
In 2012, a federal cyber response team said that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies.
“There is a good reason that hackers have been attacking weak links in targets’ digital ecosystems for years: it’s often the easiest path to accessing data or distributing malicious content,” said Fred Kneip, CEO of CyberGRX.
“It doesn’t matter how well an organization protects its own perimeter if third parties with weak security controls create vulnerabilities that can be easily exploited. While even the most thorough risk assessment can’t guarantee there’s no malware inside a staging target’s network, it can uncover red flags pointing to weak security controls that leave it vulnerable.”