The Colonial Pipeline Company has been the victim of a cybersecurity attack. The company announced it had learned of the attack on May 7, although it is likely that some data was stolen before systems were taken offline to contain the threat. The incident involves ransomware and threats were made to publicly release the data.
The Colonial Pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, gasoline and jet fuel.
Mitigating action taken by the company has temporarily halted all pipeline operations, and affected some of its IT systems. A third-party cybersecurity firm is investigating the nature and scope of this incident. Meanwhile, the White House is forming an interagency working group to prepare for various scenarios, including whether additional steps need to be taken to mitigate any potential impact on fuel supply.
For example, the U.S. Department of Transportation (USDOT) announced Sunday that as part of the federal government’s efforts to actively assess the implications of the incident and to avoid disruption to supply, that the Federal Motor Carrier Safety Administration (FMCSA) is taking steps to create more flexibility for motor carriers and drivers. FMCSA is issuing a temporary hours of service exemption, or emergency waiver, that applies to those transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.
News outlets including Bloomberg, CNN and The Washington Post have attributed the attack to a cybercrime group known as DarkSide, citing people involved in the investigation and a former senior cyber official as sources. DarkSide, which typically targets non-Russian speaking countries, is known for double extortion schemes of this nature. Victims of a DarkSide attack have been known to receive an information pack informing them that their computers and servers are encrypted. It is not yet known if Colonial Pipeline received such an information pack. The group operates like a corporate entity and in March, when it released new malware, DarkSide issued a press release on the dark web and invited journalists to interview developers.
Colonial Pipeline is in the process of restoring systems and has said it will bring the full system back online only when they believe it is safe to do so, and in full compliance with the approval of all federal regulations.
The attack highlights not only the impact disruption to fuel supply can have on the U.S. but also the increasing vulnerability to critical infrastructure as more engineers remotely access control systems from home due to pandemic working restrictions.