A ransomware attack forced the Colonial Pipeline company to shut down operations on Friday, May 7, impacting fuel distribution along the East Coast. The pipeline, which spans over 5,500 miles from Houston, Texas to New York Harbor, New York, is the largest refined products pipeline in the country and supplies 45% of the East Coast’s supply of diesel, petrol, and jet fuel.
According to industry experts, the incident was “the largest impact on the energy system in the United States (US) we’ve seen from a cyberattack.” The attack resulted in major fuel distribution shortages across the region that the Colonial pipeline serves, which led to 17 states declaring states of emergency relative to the shortages. The travel app GasBuddy reported the impact of the shutdown is particularly acute in Southeastern states, which have limited options for alternate supply. On the afternoon of Wednesday, May 12, the states with the most severe fuel outages at gas stations were North Carolina at 69 percent, followed by Virginia at 52 percent, South Carolina at 48 percent, and Georgia at 46 percent.
That same afternoon, Colonial Pipeline announced that they had restarted pipeline operations, though some markets may continue to experience intermittent disruptions as service returns to normal levels. In the meantime, states must continue to manage the pipeline disruption by identifying alternative sources of fuel, relying on stored reserves, and implementing fuel shortage plans to prioritize the allocation of available supplies until full service is restored.
To help address the impacts of Colonial outage, the US Department of Transportation (DOT) Federal Motor Carrier Safety Administration (FMCSA) also declared a regional emergency, which included a temporary hours of service exemption for tankers to allow for greater flexibility in the transportation of oil and natural gas and to help ensure that affected regions can still get access to petroleum products.
The outages occurred as a result of a criminal cyber group targeting Colonial Pipeline with a ransomware attack (formally attributed by the Federal Bureau of Investigation (FBI) to a ransomware variant known as DarkSide). Ransomware is a form of malware that infects and restricts access to computers and data until or unless the targeted organization pays the attacker a ransom. Ransomware groups are increasingly targeting lifeline infrastructure in the hopes that the infrastructure owners will have greater incentives to pay the ransom due to the criticality of their systems. The healthcare sector was a major ransomware target during the height of the COVID-19 pandemic for similar reasons.
Ransomware attacks have proven increasingly lucrative for criminal hacking groups. The average payment by the victims of such attacks jumped 171 percent in 2020, to over $300,000, and the highest ransom paid (on record) was $10,000,000. This has spurred significant industry and government efforts to address ransomware challenges. The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), for example, launched a campaign focused on addressing the threats and challenges posed by ransomware and the Department of Justice (DOJ) has created a Ransomware and Digital Extortion Task Force to combat ransomware threats.
Colonial Pipeline reported that the ransomware attack impacted their corporate information technology (IT) networks, and the company chose to shut down pipeline operations as a precautionary measure; however, the attack does not appear to have impacted Colonial’s operational technology (OT) systems — systems that operators use to remotely control pipeline assets. Had the attackers gained a foothold in OT systems, they could have caused a more prolonged outage, or potentially physical damage to the pipeline system, that would have led to significant and enduring petroleum shortages in the region.
Despite the regional impacts of the attack, when nation-state or criminal adversaries carry out cyberattacks against private sector targets, the impacted companies have primary responsibility to address the ramifications of the attack to their assets and operations. In a press briefing on May 10, the White House emphasized that “Colonial is responsible for safely returning the pipeline to service. … When [critical infrastructure] companies are attacked, they serve as the first line of defense, and we depend on the effectiveness of their defenses to improve the cybersecurity of our critical infrastructure.”
However, federal, state, and local governments can play important roles in supporting both the impacted entities and communities they serve. The Federal Emergency Management Agency (FEMA) updated the National Response Framework (NRF) and created Emergency Support Function #14 – Cross-Sector Business and Infrastructure with these types of incidents and responses in mind.
With support from a third party cybersecurity provider, Colonial Pipeline was able to restore impacted IT systems and confidently restart its OT systems to resume pipeline operations. The company also worked with the White House, the Department of Energy, CISA, DOT, the Federal Bureau of Investigation, the Federal Energy Regulatory Commission, and other federal, state and local agencies in a whole-of-government response to the cyberattack and the resulting impacts. This response can serve as a model for future, and potentially more severe, cyberattacks to come.
The Colonial pipeline attack will likely be a major wake-up call for the ONG sector, but it is not the first indication that the sector is vulnerable to ransomware attacks. In February 2020, a ransomware attack impacted a US natural gas operator’s IT systems, pivoted to OT systems, and disrupted operations for two days. In addition to ransomware attacks, concerns exist about ONG sector cybersecurity more broadly.
In 2019, for example, the Director of National Intelligence testified that nation-state adversaries had the cyber capabilities to disrupt natural gas pipelines for “days to weeks.” The US Department of Energy (DOE) Lawrence Livermore National Laboratory (LLNL) released an assessment of ONG sector cybersecurity in 2020 that identified the need for a “coherent, comprehensive, multi-layered strategy for assuring the security and resilience of the nation’s pipeline infrastructure against cyber threats.”
Industry and government stakeholders in the ONG sector emphasize the importance of cybersecurity. Industry associations such as the ONG Subsector Coordinating Council, American Petroleum Institute, and ONG Information Sharing and Analysis Center all highlight cybersecurity as a critical issue for their members. The Transportation Security Administration (TSA), which has regulatory authority for security of the nation’s pipelines, has developed a set of Pipeline Cybersecurity Guidelines for the industry.
However, unlike their energy sector counterparts in the electricity industry, the TSA relies on voluntary compliance with their security guidance, and there are no mandatory cybersecurity standards for ONG companies. As a result, the level of cyber preparedness among those companies varies by organization.
And while the Colonial Pipeline attack was carried out by a sophisticated criminal group, the attack was seemingly financially motivated and not intended to maximize impacts to US public health and safety, the economy, or national security. To achieve the cyber resilience necessary to safeguard essential services and functions in the future, the ONG sector will need to ready itself against the potential for even more malicious cyberattacks from nation-state adversaries.
This article was written by
Rob Denaburg is a Senior Managing Associate in Hagerty’s Preparedness Division. Rob serves as a lead in Hagerty’s Critical Infrastructure Preparedness work, with a focus on energy. Rob has worked with public and private sector clients to minimize the societal, economic, and national security impacts of infrastructure outages and build resilience against severe natural and manmade hazards.
Ashley Wargo is a Senior Managing Associate in the Preparedness Division out of Hagerty’s Austin, TX office. Ashley serves as the firm’s lead for energy preparedness, working with clients at local, state, and national levels to enhance preparedness efforts through planning, training, exercise, and operations analysis. She works with clients to gather actionable information that can be used to formulate and prioritize improvement actions to enhance response efficiency and service delivery to municipalities and customers.
Molly Harris is an Associate at Hagerty who works within the Situational Status (Sit Stat) and Operations Teams.
Rachael Chambers is an Associate at Hagerty who works within the Sit Stat and Operations Teams.