US Pipeline Suffers Cyberattack, Shuts Down
Last week, the largest U.S. refined products pipeline system, Colonial Pipeline (Alpharetta, Georgia), shut down all its operations after experiencing a ransomware attack.
The major pipeline system stretches 5,500 miles between Texas and New Jersey and is reported to deliver roughly 45% of the gasoline, diesel, jet fuel and home heating oil consumed on the East Coast.
What We Know
On Friday (May 7), Colonial Pipeline reported that it was the victim of a ransomware attack on its corporate computer systems. Slightly different from an average cyberattack, ransomware attacks are usually conducted by criminal hackers who scramble data with an encryption and paralyze victim networks. The hackers typically leave instructions on the infected computers and/or demand a large ransom payment in exchange for decryption codes.
However, Colonial Pipeline has not reported on what was demanded of the company.
Anne Neuberger, the Biden administration’s deputy national security adviser for cybersecurity and emerging technology said, “We recognize that victims of cyberattacks often face a very difficult situation, and they have to balance the cost-benefit when they have no choice with regard to paying a ransom. Colonial is a private company, and we’ll defer any information regarding their decision on paying a ransom to them.”
A criminal gang known as DarkSide, likely based in Eastern Europe, is responsible for the hack that shut down the largest U.S. fuel pipeline, the FBI said.Posted by The Wall Street Journal on Monday, May 10, 2021
Since the attack, private cybersecurity firm FireEye/Mandiant has been hired to manage the incident response investigation. Although, the Federal Bureau of Investigation has already confirmed DarkSide ransomware as the ones responsible for the attack. The FBI believes the hackers are involved in a criminal gang with Eastern European and possibly Russian ties.
Cybersecurity technology company Cyberreason has also weighed in on information about DarkSide, noting that the organization is newer but has previously targeted domain controllers using double extortion methods, meaning that they encrypt data of the target, while also exfiltrating data threatening to make it public.
As a result of the incident, Colonial Pipeline reported that some of its company information and technology systems were affected. In a statement, the company noted that once it realized what was happening, it moved proactively to move systems offline and halted its pipeline operations, which transport more than 100 million gallons a day.
Colonial Pipeline is currently taking steps to understand and resolve the issue with intentions to return to normal business operations by the end of the week.
On the morning following the attack, the White House reported that President Joe Biden was briefed on the incident and that federal government agencies ranging from the Department of Energy to the Transportation Security Administration would also be working with Colonial Pipeline and the Cybersecurity and Infrastructure Security Agency to assess the implications of the attack, restore operations and avoid disruptions to the supply.
At the briefing, White House Homeland Security adviser Elizabeth Sherwood-Randall reported that the Department of Energy was communicating with state and local agencies to assess fuel supplies and other impacts from the shutdown.
“There are no supply disruptions and the [DOE] is doing the analysis right now about potential supply disruption,” Sherwood-Randall said. “We’re working with other agencies to consider how, if necessary, we can move supplies to a place where it might be needed if it turns out that there is a shortfall.”
The DOE has also advised representatives of the oil and natural gas and electric industries to share details about ransomware attacks and recommend measures to mitigate further incidents.
In additional efforts to help mediate any potential supply issues, the Biden administration issued an emergency waiver extending hours for truck drivers delivering fuel across 17 states, including several across the southeastern U.S. that depend on the pipeline for fuel. According to additional reports, the government is also planning to conduct various scenarios and work in conjunction with state and local authorities.
Suzanne Lemieux, manager of operations security and emergency response policy at the American Petroleum Institute reported that API is also monitoring the situation closely and said that cybersecurity is a top priority for the industry.
By Sunday, Colonial Pipeline was reported to have restored some smaller, lateral lines between terminals and delivery points. On Monday, the company resumed limited shipments, delivering fuel from North Carolina to a terminal in Maryland under manual controls while existing inventory is available.
The efforts are just small steps in restarting the main pipeline from Houston’s refineries to the East Coast, which it plans to do through a phased restart.
“We continue to evaluate product inventory in storage tanks at our facilities and others along our system and are working with our shippers to move this product to terminals for local delivery,” Colonial Pipeline said in a statement.
However, CEO Joseph Blount told state officials in a private meeting that supply shortages could occur even as the company seeks to restart the pipeline by the end of the week, only after the ransomware that infected Colonial Pipeline’s IT systems were removed.
President Biden has since added that the government is “prepared to take additional steps depending on how quickly the company is able to bring [the] pipeline back to full operational capacity.”
Potential Fuel Disruption
Regarding potential fuel shortages should the pipeline’s restart take longer than expected, oil analyst Andy Liplow told The Associated Press that the attack’s impact on fuel supplies and prices will depend solely on how long the pipeline is out of service. While an outage of one or two days would be minimal, outages lasting some five or six days could ensue shortages and price hikes, particularly in the areas that rely on that fuel for consumption.
Liplow added that a major concern with a lengthier delay would be jet fuel supplies, citing major airports on the East Coast such as the ones in Atlanta and Charlotte, North Carolina.
Traders are braced for a gasoline price surge as the largest U.S. fuel pipeline remains shut down following a ransomware cyberattack.Posted by The Wall Street Journal on Monday, May 10, 2021
According to the AAA auto club, the national average for a gallon of regular gasoline has increased by 4 cents since Monday to $2.94. In New York, gasoline futures increased 0.3% at $2.13 a gallon, after advancing as much as 4.2% in overnight trading. However, spot prices in affected states like Mississippi, Tennessee, Georgia and Delaware, among others, could continue to increase, as much as three to seven cents a gallon by the end of this week.
Tom Kloza, global head of energy analysis for Oil Price Information Service, or OPIS, an IHS Markit company added that other southeastern states from Alabama to Maryland could experience sporadic outages and a scramble for fuel supplies later this week as well.
The Wall Street Journal also reported that gasoline futures prices have surged and are up more than 50% in 2021.
On a lighter note, Brian Bethune, a professor of applied economics at Boston College told reporters that even if consumer prices were negatively impacted in wake of a shortage, the hike would be short-lived so long as the shutdown didn’t last longer than a week or two.
Call for Increased Cyber Security
While the attack on Colonial Pipeline is the latest in infrastructure cyberattacks, earlier this year a water treatment plant in Oldsmar, Florida, reported that a hacker had breached its computer networks and changed the level of sodium hydroxide from 100 parts per million to 11,000 per million.
Sodium hydroxide—also known as lye—is commonly used at water treatment plants to control the acidity of drinking water and remove metals. However, too much of the chemical can make the water dangerous to drink.
After it appeared that the hacker had left the system, the operator immediately returned the sodium hydroxide to the previous levels, ensuring that no harm would come to the public or the drinking water. However, to put local residents at ease, Gaultieri noted that even if the operator hadn’t been present, the issue would have been caught during a secondary chemical check when the water is moved to holding tanks.
Since the incident, Oldsmar local authorities alongside the Federal Bureau of Investigation and the U.S. Secret Service have been investigating the hack. In February, investigators were unsure if the hacker originates within the U.S. or somewhere outside of the country.
In the past year, American cybersecurity firm Mandiant told Bloomberg that hacker attacks against industrial systems have increased, with hackers mostly engaging in limited-impact operations. Other experts have pointed out that industrial control systems have become more of a target since its transition in becoming more interconnected within the OT environment and connected to the IT environment as well.
The increase in vulnerability is also attributed to the shift of operations to more remote environments in wake of the ongoing coronavirus pandemic.
To mitigate these issues, President Biden has already noted on increasing cybersecurity. Since the start of the year, the Department of Homeland Security has already issued 25 advisories listing various industrial control systems that could be vulnerable to hacking.
By April, Neuberger told reporters that the government was undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks. The goal is to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyber activity.
Following that announcement, the White House has since launched a 100-day initiative aimed at protecting the country’s electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyber threats to their networks.
While additional measures are being taken, other industry leaders have reported that they’re disappointed, however not surprised by the uptick in attacks.
“The systemically important critical infrastructure entities, and their most vital systems and assets, are pressure points in our grid, and targets for both nation state adversaries and criminal actors, allowing them to scale up the effects of cyber campaigns and the risk they can pose to the United States in peacetime and in crisis,” said CSC co-chairs Sen. Angus King (I-Maine), and Rep. Michael Gallagher (R-Wisconsin) said in a joint statement.
On the technical side of things, Mark Montgomery, senior fellow at the Foundation for Defense of Democracies and senior advisor to the Cyberspace Solarium Commission said via email, “This is the sort of issue that concerns us in all these infrastructure systems that have undergone significant automation over the past two decades. If the cybersecurity effort does not keep pace, you can have vulnerabilities in your IT, or your OT, or both.”