(Eduard Kovacs – SecurityWeek) Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology.
Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit.
EDI is a platform used by businesses to exchange documents such as purchase orders and invoices. In the case of energy firms, the system is used to encrypt, decrypt, translate, and track key energy transactions. Latitude says it provides EDI and other technology services to more than 100 natural gas pipelines, storage facilities, utilities, law firms, and energy marketers across the U.S.
Bloomberg reported that the incident also affected Boardwalk Pipeline Partners, Chesapeake Utilities Corp.’s Eastern Shore Natural Gas, and ONEOK, Inc. However, ONEOK clarified that its decision to disable the third-party EDI service was a “purely precautionary step.”
“There were no operational interruptions on ONEOK’s natural gas pipelines,” the company stated. “Affected customers have been advised to use one of the alternative methods of communications available to them for gas scheduling purposes.”
Few details are known about the cyberattack, but Latitude did tell Bloomberg that it did not believe any customer data had been compromised and no other systems appeared to have been impacted. A status update provided by Latitude on its website on Tuesday informed customers that the initial restoration of EDI services had been completed and the company had been working on increasing performance.
SecurityWeek has reached out to Latitude Technologies and Energy Services Group for more information about the attack and will update this article if they respond.
“This looks like a financially-motivated cyberattack, likely by cybercriminals, but we’ve seen in the past that cybercriminals often collaborate with nation-states and share hacking tools with each other,” said Phil Neray, VP of Industrial Cybersecurity at CyberX, a critical infrastructure and industrial cybersecurity firm based in Boston. “It’s easy to imagine a ransomware attack that uses nation-state tools to hijack ICS/SCADA systems and hold the pipeline hostage for millions of dollars per day.”
Bryan Singer, director of Security Services at IOActive, has described some worst-case scenarios that could result from attacks targeting pipeline operators.
“A lot of pipelines have 24-48 hour capacity within the pipelines. If hackers find a way to poison the product, you could have downstream impact for months or more. You could have gas compressors or lift stations where there’s a fire or explosion, and where you have to scramble to cap the ends before the fire spreads out. If it’s an oil rig, it could certainly be tougher to contain,” Singer told SecurityWeek.
“Hackers can cause some intermediate problems at first, but if they have access long enough, there’s a possibility that airports could go down (they often rely on fuel delivered directly) and gas stations could run out of gas. If they’re able to maintain an attack for a couple days, there can be very large downstream impact. We’re mostly out of winter, but if we don’t have power, we’re in need of that heat,” he added.
Back in 2012, the Department of Homeland Security (DHS) warned that malicious actors had been targeting the natural gas industry. While critical infrastructure operators in general have since become more aware of the risks posed by cyberattacks, many organizations are still unprepared.
In the case of the oil and gas industry in the United States, a study commissioned last year by German engineering giant Siemens showed that this sector is largely unprepared to address cybersecurity risks in operational technology (OT) environments.