Last week, one of the biggest gasoline and jet fuel pipelines in the US was forced to shut down due to a cyber attack. The attack on Colonial Pipeline is currently seen as one of the most significant ransomware attacks on crucial infrastructure, for it forced the operator to close almost 5,500 miles of pipeline providing about 45% of Eastern states' gasoline supplies, creating major disruptions in the supply line and panic among the customers. The attackers were proved to be successful as the Colonial Pipeline accepted to make ransom payment worth $5m in an effort to prevent further damage. Now that the imminent danger is gone, the companies are expected to come up with solutions that will fix the vulnerabilities. To understand the possible solutions, one has to examine the nature of the internet, which many countries' energy infrastructure is connected to today.
The internet of energy connects the energy industry to the worlds of digitization, optimization, reliability, and scalability, opening up vast opportunities for a more easily controllable and beneficial energy governance. Our energy sources and transportation depend on many different parts that have to work simultaneously, such as resource extracting facilities, refineries, interconnectors, pipelines, and in the latest case, gas stations. Connecting and overseeing all of these facilities, which have thousands of workers and customers as a whole, is a long and exhausting process when it is conducted manually.
Engineers, workers, and accountants at all levels have to measure things carefully and report to the central facility with clarity so that energy transportation is enabled to continue with no problems. With the creation of the internet, and more specifically, 'The Internet of Things' as an idea, these processes that involve systems on a large scale are becoming easier and cheaper to govern. Instead of overseeing the economy and status of facilities part by part, one can oversee and control all flows with one glance using the internet to connect them. These connected, intelligent energy devices collect a massive amount of data, revealing trends and insights that help drive power generation, distribution, and consumption cycle. Thus, now the distribution of power is more about a matter of generation and storage of big data, instead of power sources themselves.
This situation which seems to bring huge benefits to the energy sector may also be its biggest vulnerability, as demonstrated by the last week's events. Colonial Pipeline's style of operation is an example of digital governance explained above: The important devices that enable the transportation of gasoline are interconnected, and they are all connected to a central system that oversees all actions. Even though it is hard to get into the interconnected device part of the transportation process, the administrative staff, such as important engineers, accountants, and office workers, have significant access to the data gathered by production and transportation devices. Since they are the ones who make the decisions centrally, a breach of their computers might mean that the whole system is under attack.
It is clear that it would not be a wise call to go back to the pre-internet era in which all systems were operated manually for the internet brings a lot of benefits. However, it is also clear that the damage given by such an attack on the digital system can reach amounts that far overweigh the benefits brought by the digital system. The vulnerabilities are clearly not about firewalls, defense systems, etc. For how strong a system one company builds, some decisions will be taken, and the risk that these decisions are imminent to be penetrated will not disappear in a digital world. Instead, companies must, and most probably will, strive to make the decision-making processes more decentralized, for the decentralized parts of the system are less likely to fall into the risk of ransomware. The system, in general, must be established in such a way that even if one device or facility is damaged, the rest should continue operating. This can only happen if all the decisions are not given by those who are on the top, and the decisions given by them are not transmitted using the internet but manual methods.
In short, since it is almost an impossible effort to prevent such attacks, the best course of action would be to prevent the system from falling apart even if an attack occurs. Thus, instead of focusing and spending huge amounts of money on establishing cybersecurity measures, the government and companies should invest in decentralizing decision-making processes. A properly functioning systems management under such a decentralization will prevent such attacks and make them futile and unprofitable for attackers.