The Environmental Protection Agency issued a weeklong emergency fuel regulatory waiver today as gas demand spiked in East Coast states served by the Colonial Pipeline artery shut down after a ransomware attack as the company said it is “executing a plan that involves an incremental process that will facilitate a return to service in a phased approach.”
Colonial Pipeline reported Saturday that it had been the victim of a cyber attack on Friday. “In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” the company said, which is now using FireEye to investigate the incident.
On Sunday evening, Colonial said the company had “taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline,” and mainlines remained offline while some smaller lateral lines between terminals and delivery points were operational. Mid-Monday, the company said in an update that “restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time.”
Gas demand jumped 20 percent Monday on the news, with demand up 40.1 percent in Georgia, Florida, South Carolina, North Carolina and Virginia — states served by the pipeline — according to GasBuddy. On Monday evening, Colonial said it was “continuing to work in partnership with third-party cybersecurity experts, law enforcement, and other federal agencies to restore pipeline operations quickly and safely.” A main line running from Greensboro, N.C., to Woodbine, Md., was “operating under manual control for a limited period of time while existing inventory is available.”
Today EPA waived the federal Reid vapor pressure requirements for fuel sold in reformulated gasoline in areas of District of Columbia, Maryland, Pennsylvania, and Virginia to help facilitate the gas supply. Administrator Michael Regan “determined that extreme and unusual fuel supply circumstances exist,” the agency said.
President Biden said Monday that his administration was “tracking extremely carefully” the ransomware attack, with the Department of Energy the lead agency working directly with Colonial to get the pipelines back online. The FBI is investigating the attack, and the Department of Transportation earlier issued an emergency order to loosen restrictions on truck drivers transporting fuel.
“We’re prepared to take additional steps depending on how quickly the company is able to bring its pipeline back to full operational capacity,” Biden said, promising that the administration “will be pursuing a global effort” to target perpetrators of ransomware attacks “by transnational criminals who often use global money laundering networks to carry them out.”
“Private entities are making their own determination on cybersecurity so to jump-start greater private- sector investment in cybersecurity we launched a new public private initiative in April. It begins with a hundred-day sprint to improve cybersecurity in the electric sector,” he said. “And we’ll follow that with similar initiatives in natural gas pipelines, water, and other sectors. In addition to companies stepping up, we need to invest to safeguard our critical infrastructure.”
In an update issued by the White House this morning, White House press secretary Jen Psaki said Biden “continues to be regularly briefed on the Colonial Pipeline incident.”
“The administration is continually assessing the impact of this ongoing incident on fuel supply for the East Coast. We are monitoring supply shortages in parts of the Southeast and are evaluating every action the administration can take to mitigate the impact as much as possible,” Psaki said. “The president has directed agencies across the federal government to bring their resources to bear to help alleviate shortages where they may occur.”
Deputy National Security Advisor Liz Sherwood-Randall told reporters at Monday’s White House press briefing that soon after learning of the pipeline shutdown Friday night the White House convened an interagency team that included DOE, DHS’ Cybersecurity and Infrastructure Security Agency, FBI, the DoT’s Pipeline Safety and Hazardous Materials Safety Administration, the Treasury Department, the Defense Department and other agencies. DOE’s Energy Information Agency has been in contact with state and local agencies to assess current supply and impacts due to the shutdown. DOE also convened oil and natural gas and electricity sector utility partners to share details about the ransomware attack and mitigation strategies.
Sherwood-Randall said CISA “is preparing a release to go to the broader critical infrastructure community to ensure it has visibility into the ransomware attack, and it’s taking appropriate measures to protect its networks.”
“Colonial is responsible for safely returning the pipeline to service, and our role in the federal government is to take proactive steps to analyze the impacts of the shutdown on the delivery of gasoline, diesel and aviation fuel in states that are dependent on the pipeline and to identify federal options for alleviating supply shortfalls should they develop,” she added. “…This weekend’s events put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private-sector companies. When those companies are attacked, they serve as the first line of defense, and we depend on the effectiveness of their defenses.”
Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said Colonial so far had “not asked for cyber support for the federal government, but we remain available to meet their cybersecurity needs.”
The FBI released an alert to stakeholders noting indicators of compromise and mitigation measures once infected. Neuberger said the FBI identified the ransomware as the DarkSide variant, which has been under investigation since October.
Intelligence firm Intel 471 said that “while spotted in the wild as far back as August 2020, DarkSide’s developer ‘debuted’ the ransomware on the popular Russian-language hacker forum XSS in November 2020, advertising that he was looking for partners in an attempt to adopt an affiliate ‘as-a-service’ model.”
On Monday, Intel 471 said, DarkSide operators posted an announcement “that they will introduce ‘moderation’ in the future by carefully checking each company DarkSide affiliates want to encrypt ‘to avoid social consequences in the future.’ Operators also claimed that the group is strictly motivated by money, and not affiliated with any government apparatus.”
Neuberger noted the profit-sharing aspect between criminal affiliates conducting attacks and the ransomware developers.
“The government is convening stakeholders more broadly to ensure everybody has the information needed to protect themselves and to rapidly share information,” she said, noting the critical role of the Information Sharing and Analysis Centers (ISACs) in partnership with the federal government.
Neuberger stressed that the administration is “taking the threats posed by ransomware seriously with several initiatives,” including a focus on securing industrial control systems, working to disrupt ransomware infrastructure, and pursuing greater international cooperation.
Asked whether Colonial had paid ransom to the cyber attackers, Neuberger replied that “we recognize that victims of cyber attacks often face a very difficult situation, and they have to just balance, often, the cost-benefit when they have no choice with regard to paying a ransom.”
“Colonial is a private company, and we’ll defer information regarding their decision on paying a ransom to them,” she said, adding that “typically that is a private-sector decision, and the administration has not offered further advice at this time. Given the rise in ransomware, that is one area we are definitely looking at now to say what should be the government’s approach to ransomware actors and to ransoms overall.”
Asked whether this ransomware attack was linked back to Russia or other Eastern European criminals, Neuberger said DarkSide is currently assessed “as a criminal actor, but that’s certainly something that our intelligence community is looking into.”
“Our intelligence community is looking for any ties to any nation-state actors,” she said. “And if we find that further information, will look into it further.”
Former DHS Assistant Secretary for Infrastructure Protection Brian Harrell told HSToday that critical infrastructure sectors “are the modern-day battlefield and cyberspace is the great equalizer.”
“Hacker groups can essentially attack with little individual attribution and virtually no consequence. With over 85 percent of all infrastructure owned and operated by the private sector, significant investment and attention must be placed on hardening key critical systems,”Harrell said. “I anticipate more attacks like this happening in the future. A key lesson here is that while technology and automation is good, we must also have the ability to efficiently operate manually as well. Attacks will happen, but how quick can you recover and restore critical services?”
Pentagon press secretary John Kirby told reporters Monday that the Defense Logistics Agency is “monitoring inventory levels, and we’re awaiting updates from Colonial Pipeline” when assessing whether fuel supply issues could impact DoD operations. “There’s sufficient inventory on hand for downstream customers, so there is no immediate mission impact,” he said.
State Department press secretary Ned Price referred any questions about the potential responsibility of a nation-state actor to law enforcement and the White House, citing the ongoing investigation.
“We don’t have further information about the intent of the perpetrators when conducting the ransomware hack against Colonial,” Neuberger said. “However, as you know, ransomware affects broad sectors, and clearly criminals have learned that those sectors — one of the key sectors we saw during the COVID pandemic was the hospital sector that was affected by ransomware.”
“Clearly, we know — we see that criminal actors have focused on the more vulnerable victims, state and local governments, schools, critical infrastructure,” she said. “And that is why coming up in addressing ransomware with great vigor is a key priority of the administration, because we are very concerned about the growth in ransomware and the impact it has, both on small and medium businesses as well as the state and local governments in the United States and around the world.”