oil refinery plant

Critical Infrastructure Requires a Stronger Security Standard

Lessons From Colonial Pipeline and Other Attacks on Utilities Organizations

US citizens are feeling the consequences from what is thought to be the largest known cybersecurity  attack on a US fuel pipeline, the Colonial Pipeline, on May 7. The details around the exact attack vector are still unknown. Amid the cut-off, a shortage of fuel in the southern United States resulted in panic buying, inflated prices and even the hashtag #GasShortage2021.

The hackers, who are thought to be linked to a European group called “DarkSide”, used ransomware to hack Colonial Pipeline — a type of malware that locks victims' files until a payment is provided. Triggering a massive government response, the group claimed they “didn’t mean to cause problems.” It says a lot when the sophisticated hackers themselves are unaware of the potential consequences such attacks have on wider society.

A Ripple Effect of Dangerous Consequences

When we think about cyberattacks, we usually think of data breaches. But when these attacks are aimed at critical infrastructure, we see a strong physical impact that ripples and halts normality for large populations. For this reason, utilities and energy businesses as well as state, local and federal governments experience damage that goes far beyond cyberspace. These organizations are particularly vulnerable due to the physical assets that are at stake, and the large populations that depend on their services to resume normal life.

Just days before the Colonial Pipeline attack, a Norwegian energy firm was victim to a ransomware attack that required a shutdown of water and wastewater facilities — impacting 85 percent of the region’s population.

Earlier this year, the Florida Water Treatment Plant was hacked due to a password vulnerability on a dormant software application, which had no multi-factor authentication (MFA) practice in place. Frighteningly, the attack turned to a case of cyber-terrorism as the hacker adjusted dangerous chemical levels in the water. The attack had the very real potential to poison thousands of people.

The rising sophistication of these hackers and the astronomical consequences on the general public demand for changes in security standards and practices. In a call for more regulation, President Biden required an increase in security standards and signed an executive order to improve the nation’s cybersecurity.

Zero Trust Is Not Only for Governments and the Private Sector Should Follow Their Lead

Among Biden’s order, the importance of a Zero Trust architecture was highlighted and as such, federal agencies are now required to develop a plan to implement this. He ordered the elimination of outdated security models and the adoption of security best practices, such as MFA. What’s more, the official statement from the White House urged privately held companies, such as energy and utilities organizations, to follow suit:

… the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.– Official White House statement from May 12, 2021


At HID, we could not agree with this statement more. We have a long history of working with the US federal government in enabling Zero Trust. Ten years ago, the US government deployed HID Personal Identity Verification (PIV) cards to secure the complete lifecycle for authentication and access of federal workers. To this day, this remains the largest deployment of an employer to employee public key infrastructure (PKI)-based MFA solution in the world. However, you don’t need to be as large as the federal government to achieve this level of security. HID makes this technology available and accessible to a wide range of organizations.

Your First Line of Defense Starts With MFA

While still not fully understood, the Colonial Pipeline attack is a stark reminder of the practices that should be in place. Time and time again, the critical need for strong MFA covering every access point is brought to our attention. At this time, it is impossible to say whether MFA could have prevented the Colonial Pipeline attack, but as attack methods continue to evolve and become more complex, the ways that users authenticate within organizations also need to evolve.

While a Zero Trust environment is at the core, it should be fortified with MFA everywhere — not just for certain systems, applications or users. It’s crystal clear that passwords alone are not enough to safeguard a business, especially those with ties to critical infrastructure. Instead, utilities organizations must deploy MFA solutions that replace passwords and provide a wide breadth of advanced, adaptable authentication options to close every gap.

Getting Started With MFA and Zero Trust

The point of MFA is to add multiple, additional factors to ensure that users are who they say they are. Basic MFA could include something you know, such as a password, and something you have or are, such as one-time verification code or a biometric, and be powered by software limited in additional capabilities or security options. This is not enough when protecting organizations with critical infrastructure. Instead, implement advanced MFA built for your high-risk environment while meeting best practices and strengthening the walls to your organization:

  1. Select the right methods and authenticators for your own needs. In critical environments, using MFA that requires a password as your first authenticator is not viable. Instead, advanced MFA software gives you the option to use a diverse range of factors including biometrics, such as a fingerprint or facial recognition, with something you know or have  such as a high-assurance smart card or security key. For increased protection, use MFA software that takes advantage of additional capabilities like step-up authentication, that can detect additional security factors such as location, and adjust required authentication as necessary.
  2. Utilize security standards and protocols. The good news is that security technologies are continuously advancing, but it’s imperative to ensure that your MFA software and devices support these technologies and will continue to do so. At HID, protocols such as OATH, FIDO and PKI certificate-based authentication, which is used by the US federal government, are made available to any business.
  3. Make MFA easy for your employees, but not for potential hackers. It's not uncommon for hackers to gain access through vulnerabilities of an organization’s own employees. Therefore, it’s important to make MFA an easy experience so that your employees can seamlessly comply and correctly authenticate. Deploy MFA that is convenient for both users and administrators to create a pain-free, risk-free experience that doesn’t get in the way of your security.
  4. Manage the whole authentication ecosystem. Enhance your MFA with a supporting, complete solution that manages your credentials and digital identities. Leveraging advanced software to power MFA is something, but what about what happens to your devices and credentials throughout their lifecycle full of potential vulnerabilities? Manage them from end-to-end to achieve complete visibility using a unified platform.

In the wake of these cyberattacks and their devastating effects, it’s time to fortify our utilities from the inside out and accelerate towards an industry built on Zero Trust and advanced authentication.

Learn more on how to shift your authentication strategy to a Zero Trust model in our eBook: The Journey to Passwordless.

Learn more about HID solutions for utilities and federal governments.

Jillian Belles is the IAM Director of Strategic Sales for HID Global, the leader in trusted identities. Jillian has been in the IT and securities industry for 24 years, specializing in providing subject matter expertise to high-compliance verticals like state and local government, higher education, energy, and utilities industries.