The recent cyber attack on the EDI (Electronic Data Interchange) service providers of four US gas pipeline firms has cybersecurity professionals more concerned than it might, at first, seem they should be. Dark Reading reported that the attack “disrupted data communication services at four major US interstate gas pipeline companies,” but didn’t actually discontinue any operational systems at the site of these organizations. While, on the surface, the attack seems like an underwhelming incident, with little damage suffered and no clear motive for the incident, analysts in the cybersecurity field are warning to consider this a serious event.

So why make a fuss over an event that seems relatively inconsequential?

The energy sector is known to operate interdependently. So the attack could be motivated by mere opportunity, but experts warn to assume a defensive position, as it is likely that it’s a major risk, threatening a larger system.

A third-party EDI was targeted in the attack

The EDI relays electronic documents between businesses, communicated through standards that have been agreed upon by the business partners that are exchanging documents, whether they be invoices, purchase orders, or any electronic form enabling interoperability. There are several standards in use, but two businesses that decide to exchange EDI documents must agree on the same standard and version to effectively interchange documentation. Most businesses use an EDI translator to translate the EDI format to then be capable of use by other internal applications, streamlining the processing of documents and requests from customers. The translator functions as either a software used by the company or an EDI service provider.

Using an EDI is effective within these interdependent industries. In the case of the recent cyberattacks on US pipeline companies’ data systems, Bloomberg reported that at least three confirmed that shutdowns occurred as a result of an attack. Oneok Inc. reportedly shut down its system “as a precaution after determining that a third-party provider was the ‘target of an apparent cyberattack.’”

Latitude Technologies, a unit Energy Services Group, was identified as a third-party provider to at least two of the pipeline companies. The coverage by Bloomberg indicated that as of now, Latitude believes that no customer data was compromised in the attack.

The EDI provided by Latitude enables an electronic system to help customers of the pipeline companies communicate with operators, was said to have been backed up and running by both Energy Transfer and Eastern Shore Natural Gas, customers of the third-party provider, before the attack went noticed.

The communication network was targeted in these attacks—electronic systems that “[m]any of the 3 million miles of pipelines that spread across America rely on third-party companies for,” a statement made by Andy Lee, senior partner at Jones Walker LLP in New Orleans to Bloomberg. This partnership includes an expectation that those systems be adequately protected with security measures from attacks. Lee declares that these third-party communication systems can be targeted because they are “low-hanging” fruit for ransomware attacks.

The Larger Picture

The article goes on to make a greater point about the interconnectivity of these systems. EDI Systems aren’t necessarily the ultimate target for these attacks, but merely an entry point to “navigate a network to do something more malicious,” said Jim Guinn, manage director and global cybersecurity leader at a technology consulting company, Accenture Plc, “[a]ll bad actors are looking for a way to get into the museum to go steal the Van Goh painting.” Bloomberg also points out that he said that “there is nothing inherently different about oil and gas EDI systems.”

When you zoom out the focus on these attacks, we see that there is much more going on than the cyber scare that ultimately effected the pipeline systems, somewhat minimally, with this isolated incident. Cybersecurity professionals are warning to take the incident seriously because it is clearly a symptom of a greater risk to the energy sector. Coverage of the recent incident seems to be drawing connections to a warning of Russian hackers, by the US government, of a possible attack on the US energy companies.

Beyond the accusations of foreign actors’ involvement, the attack has industry professionals concerned because they believe that the third-party could have been targeted as a means to access energy companies through the network system which could have more devastating outcomes for US energy systems and critical assets. While the impact on the four companies involved may not be immediately severe, it calls into question the state of security for third-party support in an age of increasing risk and vulnerability to more serious outcomes.

Digital Forge offers cybersecurity assessments and packages that meet the individual needs of every business, no matter your size or industry. Contact us today for more information. Call us at (877) 369-1831 or email info@dfcyber.com.