Implications of the Colonial Pipeline Ransomware Attack

The Colonial Pipeline ransomware attack this month has opened people's eyes to a new, terrifying reality; which is that of cyberattacks against critical infrastructure. These attacks have been forewarned by security experts for years, but the attack on the Colonial Pipeline is perhaps the first truly mainstream incident that has given people pause, due in large part to the material impact it had on the gas prices of those living on the eastern side of the United States.

While the attack itself may have been short-lived and relatively insignificant in the grand scheme of things, it certainly will not be the last of its type, nor will it be the most severe. The vulnerability of critical infrastructure such as fuel pipelines, hydroelectric dams, powerplants, and other important facilities is an issue that will continue to haunt us until action is taken to shore up these massive security holes.

With the Colonial attack, consumers were subjected to sudden and unexpected price hikes as well as widespread fuel shortages in the aftermath of the ransomware attack. These are obviously serious consequences, but imagine if the attack had not been a pipeline, and instead had been an attack on turbines at a hydroelectric dam? What if the malware did not shut down the dam temporarily in order to extort its operators, but instead sought to cause physical damage to the computer systems that allow the dam to function?

The Bonneville Dam supplies power to over 500,000 households in the state of Oregon, and a malware attack against their systems that left the dam seriously damaged or disabled could cause serious, potentially fatal harm to a substantial number of people, not to mention the potential financial losses that come along with such an attack.

That's just one example of how bad this could get--it could get much, much worse than that. Nuclear power plants would be vulnerable in a similar way, but with much more disastrous results. Critical infrastructure desperately needs to be modernized in a security-centric way, and that attitude needs to become the predominant approach not only for infrastructure, but for business as well.