In the weeks before Colonial Pipeline said it was hit by a ransomware attack, the Alpharetta-based company was trying to fill two security leadership positions.
One was for a director of risk management. The other: manager of cybersecurity.
Georgia Tech’s dean of engineering said he isn’t surprised that Colonial had the openings.
“There is a significant shortage of cybersecurity professionals that understand energy,” said Raheem Beyah, who is also an electrical and computer engineering professor.
He said he wouldn’t be surprised if 50% of the companies in metro Atlanta and elsewhere face a similar situation. “We have been raising red flags and alarms for years.”
Colonial, a private company that normally delivers 45% of the fuel consumed on the East Coast, shut down its major pipelines last Friday, sparking a rush of consumer demand, soaring prices and gasoline outages at many pumps in Georgia and other states.
A Colonial spokesman said in an email this week that the company’s open security positions are “part of our longer-term strategy around talent.”
Asked whether the unfilled positions had any impact on the company’s vulnerability or response to the cyberattack, he wrote, “Our investigation into the nature and scope of the ransomware attack continues to be ongoing — but suggesting that it could have been prevented by one position would be inaccurate.”
Georgia Tech’s Beyah cautioned against drawing conclusions based on Colonial’s staff openings. Various other factors contribute to the resiliency of corporate technology systems, such as whether networks are in good shape and whether enough is spent to keep them robust, he said. “In general, if you’ve got more people, that might translate into more secure infrastructure.”
Cybersecurity positions are in high demand in much of the nation, according to people in the industry and the U.S. Department of Labor. At the same time, federal officials have repeatedly warned about growing risks posed by not only ransomware in general but cyberattacks that could threaten critical infrastructure.
The public hears most often about hacking that involves stealing customer personal data or corporate secrets. But there is concern that attackers could ultimately take control of automated equipment and facility operations at manufacturing plans, pipelines, transit systems and other locations. Those attacks eventually might pose a danger to workers or people in surrounding communities.
It “is only going to get worse,” said Beyah. He warns that the drive to have remote control has left businesses vulnerable, with little or no monitoring of operational technology systems and a false belief that the systems are completely walled off from intrusion.
A few years ago, one of Beyah’s then-graduate students simulated the takeover of a water system, locked out the legitimate operators and poisoned the water.
And in February, Hackers got into the control system for a small drinking water treatment plant near Tampa and sharply increased the amount of lye being added to the water. Plant workers caught the problem before it could cause harm to the system or people.
Both this year and last year, the National Security Agency warned about cybersecurity risks for operators of critical infrastructure, including the defense industry. And recently the U.S. Department of Energy launched an initiative to increase cyber protections at electric utilities.
There are federal cybersecurity mandates for electricity providers, but only voluntary guidelines for major pipelines. The Transportation Security Administration, which has had oversight of hazardous liquid and natural gas pipeline systems, had just six staffers assigned to pipeline security in 2018. Now, it has 34, according to a spokesperson. TSA will continue to seek ways to mitigate risk in the wake of the Colonial attack, the spokesperson said.
But, at the Federal Energy Regulatory Commission, some commissioners have stepped up previous calls to mandate cybersecurity measures for pipeline operators.
On Colonial’s website, the open job for manager of cybersecurity, posted more than a month ago, calls for a person “accountable for managing a team of cyber security certified subject matter experts and specialists” and able to lead development of cybersecurity strategy as well as “recovery from security incidents.” The manager would also guide “forensics of incidents.”
The open position of director of risk management is responsible for “processes necessary to identify, evaluate, mitigate and monitor the company’s operational and strategic risk” and ensure alignment with safety management and business continuity systems.
More than a month ago, Colonial posted an opening for a manager to lead staff who develop and maintain the company’s system to remotely control and monitor its more than 5,500 miles of pipelines. The network normally carries 100 million gallons a day of gasoline, diesel, jet fuel and home heating oil and fuels for the U.S. military.
There generally are enough people available nationally to fill entry-level cybersecurity jobs in business, but local and state governments face a harder time, said Patrick Gaul, the executive director of the National Technology Security Coalition. And there’s a shortage across the board for professionals with more certifications and six or seven years of experience, he said.
Amy Knoell said she knows the challenges.
“It’s a constant battle,” said Knoell, who is based in metro Atlanta and directs cybersecurity staffing for CyberSN.com, a recruiting firm.
“Of course it increases vulnerability,” she said.
She concentrates her efforts in the Northeast. Her firm does little work currently in Atlanta, largely because the local pay for experienced cybersecurity professionals is too low, she said. Getting corporate buy-in to increase budgets is tough, until there’s a security incident, she said. “Rather than being proactive, they are reactive.”
There are programs to train more people. Georgia Tech, for example, recently launched an online master’s degree program in cybersecurity.