Colonial Pipeline, the operator of one of the largest fuel pipelines in the U.S., remains largely shut down after a cyberattack on Friday (May 7).

The pipeline, which provides nearly half of the supply of gas, diesel and jet fuel to the East Coast, was the victim of a ransomware attack by a criminal group. The attack underscores U.S. infrastructure vulnerabilities, according to cybersecurity expert Mike Chapple, teaching professor of IT, analytics and operations at the University of Notre Dame’s Mendoza College of Business.

“The fact that this attack compromised systems that control pipeline infrastructure indicates that either the attack was extremely sophisticated or the systems were not well secured,” said Chapple, a former computer scientist with the National Security Agency and former Air Force intelligence officer. “Standard practice for this type of critical systems is to place them on their own isolated networks precisely to prevent this type of attack. These systems shouldn’t be connected to the internet, making it very difficult for an outsider to gain control of them.”

The FBI has confirmed the culprit is DarkSide, a strain of ransomware allegedly operated by Russian cybercriminals. A rare emergency declaration was issued Sunday by the Department of Transportation to use alternative transportation routes for oil and gas and lift regulations on drivers carrying fuel across the southern and eastern U.S.

According to Chapple, this shutdown reveals that core national infrastructure elements continue to be vulnerable to cyberattack.

“Securing our energy infrastructure is a national security issue that involves several different federal agencies and requires centralized leadership,” Chapple said. “Last year, Congress authorized the creation of a national cybersecurity director within the White House, but this position remains unfilled by the Biden administration. In the wake of attacks like Colonial Pipeline and SolarWinds, it is clear that filling the role needs to be a higher priority.” 

Chapple recommends a number of additional steps to increase security.

“Protecting our nation’s critical infrastructure against cyberattack requires a public/private partnership that allows government agencies and corporations to work side-by-side on cybersecurity issues,” he said. “The government will only achieve this goal through a combination of regulations and incentives designed to bring private businesses to the table.

“The Biden administration is likely to release an executive order this week that will outline new requirements for cybersecurity, but those requirements may only apply to the federal government and its contractors,” Chapple explained. “We need a broader set of regulations that create consistent cybersecurity standards for operations with national security implications. One of the other actions proposed in drafts of the upcoming executive order is the creation of an independent investigatory body for cybersecurity incidents modeled after the very successful National Transportation Safety Board (NTSB). In the wake of an aviation disaster, the NTSB convenes a panel of independent expert investigators to reconstruct the accident and share lessons learned with the aviation community. A similar group overseeing cybersecurity investigations would be an enormous step forward in educating businesses about cybersecurity incident prevention.”