The May 2021 ransomware attack on Colonial Pipeline impacted over 5,000 miles of fuel pipelines across the southern and eastern United States, immediately revealing just how vulnerable the outdated and legacy systems are in the age of Internet-connected infrastructure. Later investigations revealed that hackers disrupted Colonial Pipeline and shut down the system with just one stolen password.
Moving forward toward safer infrastructure does not mean moving backward to static, unintelligent systems; the reality is that we must build toward a smarter future that incorporates technology into public works. The American Rescue Plan Act will direct hundreds of millions of dollars to cities in dire need of infrastructure repairs after decades of deferred maintenance, and the twin solutions of IoT connectivity and cybersecurity will bring this country’s infrastructure into the current century — and prepare it to last far beyond.
The threshold question for local leaders involves their role not just with the systems they control, but also involving key providers of local services. Some local governments own their utilities; others do not. Privately owned and operated utility service providers generally are monopolies regulated by state, not local, government. Yet mayors or county executives are held responsible for catastrophes like tornadoes or floods. Emergency response to a utility shutdown here is not enough — prevention matters. Certainly, the ransomware attacks on city governments and the Colonial attack raise red flags.
Cyber attacks are highly sophisticated and not many cities have the resources to keep up. Mayors should reach out beyond their authority, directing attention and best practices to preventing utility shutdowns. A first step would be convening all key stakeholders to increase attention on the issue and facilitate a forum of local entities so that best practices can be ensured across all the relevant groups. Elected officials often would be well advised to contact the outside security consultants that many of them utilize for their internal systems concerning best approaches for the convening of service providers. That forum can continue without city management, but officials should be assured that it will be a continuing effort.
Key participants that oversee these industrial control systems (ICS) should begin with a self-assessment that identifies holes in security and implements basic security features like two-factor authentication. There should also be an immediate review of network security for remote employees, as well as a check on which employees (and former employees) have access to what information. Any lingering computer or software updates should be implemented right away. Local officials should contact state regulators to determine the extent to which these questions are part of regulatory review. And similarly, the federal government is increasingly accepting its role.
The lack of investment in American infrastructure has left the country littered with dangerous and crumbling bridges, pipes and dams, earning the U.S. a C- on the 2021 Infrastructure Report Card. And while this lack of investment has led to very real physical dangers, doing the same with IoT-connected infrastructure means additional broad cybersecurity risks. There is a need for ongoing investment in smart infrastructure, guided by regular audits. Internal or external vulnerability modeling can also help identify where investment and attention should be directed.
One key to long-term safety and security is the human factor. Regular training to enhance cybersecurity skills and awareness will help bridge the gap between cybersecurity experts and industry experts and will transform ICS protection.
Local elected officials need to reach beyond their actual authority, and even their expertise, to call attention to the risk and to create a situation where the very best ICS operators set standards for and educate others.
