Major fuel pipeline shut after ransomware attack
WASHINGTON — The operator of a pipeline system that transports fuel across the East Coast said Saturday that it had been hit by a ransomware attack and had halted all pipeline operations to deal with the threat.
Colonial Pipeline did not say what was demanded or who made the demand — just that it learned Friday that it “was the victim of a cybersecurity attack” and that it determined the “incident involves ransomware.”
Such attacks are often carried out by criminal hackers who seize data and demand large payments to release it.
Experts say the pipeline attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown.
The Colonial pipeline system “is an irreplaceable, vital jugular for fuel supply to the East Coast,” said Bob McNally, founder of Rapidan Energy Group. “It’s the major artery, and there are no real other good options to replace it.”
Just days earlier, a former top cyber official with the Department of Homeland Security, Christopher Krebs, had told Congress that the overall ransomware emergency is a “digital dumpster fire.”
“To put it simply, we are on the cusp of a global digital pandemic driven by greed,” Krebs testified Wednesday.
The attack on Colonial, which says it delivers roughly 45% of the fuel consumed on the East Coast, underscores the vulnerabilities of critical infrastructure to cyberattacks.
Such attacks present a new challenge for a U.S. administration still dealing with its response to big hacks from months ago, including a breach of government agencies and corporations for which the U.S. sanctioned Russia last month.
In this case, Colonial Pipeline said the attack affected some of its information technology systems and that the company moved proactively to take certain systems offline, halting pipeline operations. In an earlier statement, it said it was “taking steps to understand and resolve this issue” with an eye toward returning to normal operations.
Owned by several U.S. and foreign companies and investment firms, including Koch Industries and Royal Dutch Shell, the Alpharetta, Ga.-based company transports gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast through pipelines running from Texas to New Jersey. Its system spans more than 5,500 miles, transporting more than 100 million gallons a day.
The White House said President Joe Biden was briefed Saturday morning, and the federal government was working with the company to assess the implications of the attack, restore operations and avoid supply disruptions. The government is planning for various scenarios, and working with state and local authorities on measures to mitigate any potential supply problems.
The private cybersecurity firm FireEye said it’s been hired to manage the incident response investigation.
THE STAKES
Oil analyst Andy Lipow said the impact on fuel supplies and prices depends on how long the pipeline is down. An outage of a day or two would be minimal, he said, but an outage of five or six days could cause shortages and price increases, particularly in an area stretching from central Alabama to the Washington, D.C., region.
Lipow said a key concern about a lengthy delay would be the supply of jet fuel needed to keep airports operating, like those in Atlanta and Charlotte, N.C.
Robert Lee, a leading expert in industrial control systems and CEO of the cybersecurity firm Dragos, said systems such as those that directly manage the pipeline’s operation have been increasingly connected to computer networks in the past decade.
But critical infrastructure companies in the energy and electricity industries also tend to have invested more in cybersecurity than other sectors. If Colonial’s shutdown was mostly precautionary — and it detected the ransomware attack early and was well-prepared — the impact may not be great, Lee said.
On the other hand, “the downtime for industrial companies can cost millions,” he said.
U.S. officials and experts in industrial control security said such attacks are more common than publicly known and that most do not get reported.
“There are absolutely cases in industrial operations where ransomware impacts operations,” but often the stories don’t hit the news, Lee said. “There are lots of industrial control companies that are battling ransomware around the United States.”
Carrying off a ransomware attack does not require great technical sophistication, said Allan Liska, intelligence analyst at the cyberthreat research firm Recorded Future. In the world of criminal operations, some crews specialize in gaining access and others pay for that access and then lock up the data, he said.
“The last few years have been incredibly busy” because of the proliferation of vulnerabilities in firewalls, and virtual private networks have allowed ransomware criminals to gain access to networks on an unprecedented scale, Lee said.
While there have long been fears about U.S. adversaries disrupting American energy suppliers, ransomware attacks by criminal syndicates are much more common and have been soaring lately. The Justice Department has a new task force dedicated to countering attacks.
This attack “underscores the threat that ransomware poses to organizations regardless of size or sector,” said Eric Goldstein, executive assistant director of the cybersecurity division at the federal Cybersecurity Infrastructure and Security Agency.
“We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” Goldstein said in a statement.
HOW IT WORKS
Ransomware scrambles a victim organization’s data with encryption. The criminals leave instructions on infected computers for how to negotiate ransom payments and, once paid, provide software decryption keys.
The attacks, mostly by criminal syndicates operating out of Russia and other safe havens, reached epidemic proportions last year, costing hospitals, medical researchers, private businesses, state and local governments, and schools tens of billions of dollars.
Biden administration officials are warning of a national security threat, especially after criminals began stealing data before scrambling victim networks and saying they would expose it online unless a ransom was paid.
Average ransoms paid in the United States jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.
U.S. law enforcement officials say some of these criminals have worked with Russia’s security services and that the Kremlin benefits by damaging adversaries’ economies. These operations also potentially provide cover for intelligence-gathering.
“Ransomware is the most common disruptive event that organizations are seeing right now that would cause them to shut down to prevent the spread,” said Dave White, president of cybersecurity firm Axio.
Experts say the rise of automated attack tools and cryptocurrencies, which make it harder to trace perpetrators, has exacerbated the attacks.
“We’ve seen ransomware start hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay,” said Ulf Lindqvist, a director at SRI International, who specializes in threats to industrial systems.
“We are talking about the risk of injury or death, not just losing your email,” he said.
SOPHISTICATED ATTACK
Mike Chapple, teaching professor of information technology, analytics and operations at the University of Notre Dame’s Mendoza College of Business and a former computer scientist with the National Security Agency, said systems that control pipelines should not be connected to the internet and be vulnerable to intrusions.
“The attacks were extremely sophisticated, and they were able to defeat some pretty sophisticated security controls, or the right degree of security controls weren’t in place,” Chapple said.
Brian Bethune, a professor of applied economics at Boston College, said the impact on consumer prices should be short-lived as long as the shutdown does not last more than a week or two. “But it is an indication of how vulnerable our infrastructure is to these kinds of cyberattacks,” he said.
Bethune noted that the shutdown is occurring at a time when energy prices have already been rising with the economy reopening further as pandemic restrictions are lifted. According to the AAA auto club, the national average for a gallon of regular gasoline has increased by 4 cents since Monday to $2.94.
“It’s a serious issue,” said Tom Kloza, global head of energy analysis at Oil Price Information Service. Closing the pipeline “could snarl things up because it is the country’s jugular aorta for moving fuel from the Gulf Coast up to New York.”
Anne Neuberger, the Biden administration’s deputy national security adviser for cybersecurity and emerging technology, said last month that the government was undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks. She said the goal was to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block malicious cyberactivity.
Since then, the White House has announced a 100day initiative aimed at protecting the country’s electricity system from cyberattacks by encouraging owners and operators of power plants and electric utilities to improve their capabilities for identifying cyberthreats to their networks. It includes concrete milestones for them to put technologies into use so they can spot and respond to intrusions in real time.
Information for this article was contributed by Alan Suderman, Eric Tucker, Frank Bajak, Martin Crutsinger and Michael Balsamo of The Associated Press; by David E. Sanger, Clifford Krauss and Nicole Perlroth of The New York Times; and by Ellen Nakashima, Yeganeh Torbati and Will Englund of The Washington Post.