A cyberattack on the massive Colonial pipeline caused the company to shut down its entire 5,500-mile fuel system over the weekend, in what appears to be the most disruptive energy-sector hack in U.S. history.
Colonial Pipeline Co., which operates pipelines that carry diesel, gasoline and other fuels from Texas to New Jersey, revealed it was the victim of a ransomware attack Friday.
"We proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems," Colonial said.
Ransomware hackers encrypt victims' computer files and demand digital payment to unlock them. Colonial did not say whether it had paid the hackers, nor did the company offer a timeline yesterday for when its pipeline system — which supplies an estimated 45% of all fuel used on the East Coast — will be fully online.
President Biden was briefed about the cyberattack early Saturday, and the incident has triggered a flurry of responses from federal agencies including the Department of Energy. The attack is already raising pointed questions about possible gaps in U.S. critical infrastructure security as top intelligence and energy officials warn of an unprecedented rise in cyberthreats (Energywire, April 14).
A White House official said the administration has set up an interagency working group that worked through the weekend and will "continue to plan for a number of scenarios, including possible additional measures to mitigate potential supply impact, as needed."
The official also noted that DOE is leading the federal government response.
For its part, Colonial said it has launched an investigation into the cyberattack and is working with law enforcement and other agencies.
The Alpharetta, Ga.-based company noted in a statement last night that its operations team is developing a "system restart plan" and that some smaller lines between fuel terminals are now running again.
There's no indication that the ransomware attack that encrypted the company's files spread into the operational technology that manages the flow of fuel through its pipeline system. Colonial said that it took systems offline in an abundance of caution but didn't answer requests for comment on whether operational networks were infected by the ransomware.
Cybersecurity firm FireEye Inc., best known for its discovery of the SolarWinds espionage campaign, said it is working with Colonial.
The cyberattack could cause a spike in U.S. gasoline prices, experts say. Analysts at ClearView Energy Partners LLC said in a report Saturday that the shutdown is "potentially significant from a product price perspective," depending on how long it lasts.
"The Colonial outage comes at a critical juncture for the recovering U.S. economy: the start of the summer driving season," the ClearView researchers wrote. "We therefore think lawmakers could begin a 'blame game' immediately, and a sustained disruption that leads to a significant pump price spike could increase prospects of domestic policy interventions."
Ransomware is not a new problem with pipelines. Just last year, the Cybersecurity and Infrastructure Security Agency said a ransomware attack on a natural gas company forced the shutdown of a pipeline for two days (Energywire, Feb. 19, 2020). In that case, the ransomware known as "Ryuk" moved from the IT side into the more critical OT — operational technology — networks, where it infected computers linked to a natural gas compression station.
An Eastern European criminal ransomware gang known as DarkSide is believed to be behind the latest attack on Colonial, The Washington Post reported.
According to a post from cybersecurity firm Cybereason, DarkSide first appeared in August 2020, and the group's ransom demands can go as high as $2 million. DarkSide quickly made a name for itself for being a "highly organized" cybercriminal operation, Cybereason said.
"We should not underestimate these groups," said Marty Edwards, vice president of OT security at cybersecurity firm Tenable and a former Department of Homeland Security official. "Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal corporations operating in the digital world."
The U.S. energy sector is growing particularly vulnerable to ransomware attacks as OT merges with IT like business and email networks, experts say. The increasing digitization of power grid and pipeline equipment means it's becoming easier for ransomware attackers to move from the IT side to the OT.
"Ransomware has been a favored attack vector of cybercriminals because of its effectiveness and return on investment. That's precisely why bad actors have recently set their sights on critical infrastructure," said Edwards.
"Shutting down operational technology (OT) environments can cost hundreds of millions of dollars, which forces providers to outweigh the costs," Edwards said.
Who's in charge?
DOE is the federally designated "sector-specific agency" for energy-sector cybersecurity. However, pipeline cyber oversight falls to the Transportation Security Administration.
Edwards said one of the unique challenges of protecting pipelines from hackers is the "complexity of the regulatory and oversight environment."
"Because pipelines cross state lines, you have the Department of Transportation involved. DHS has the Transportation Security Administration. Because petroleum is involved, the Department of Energy has a role," Edwards said. "Couple that with the fact that it is a large industry geographically — it can be a challenge simply to get incident response personnel to all of the impacted locations."
The distributed nature of pipelines means it's not cost-effective to send workers to far-flung locations to twist valves. But many of "the tools that are used to enable asset operators' remote connectivity are optimized for easy access and not for security," said Grant Geyer, chief product officer at Claroty, a cybersecurity firm that specializes in OT networks.
DOE, CISA, TSA and the Federal Energy Regulatory Commission all said they were working with other agencies and the energy sector in response to the attack.
"FERC is in communication with other federal agencies, and we are working closely with them to monitor developments," Richard Glick, the Democratic chairman of the independent energy regulator, said in a statement.
FERC sets mandatory cybersecurity rules for the bulk electric power grid, but the requirements don't apply to the natural gas pipelines that also fall under the agency's purview.
A DOE spokesperson said the agency is "coordinating with Colonial Pipeline Company, the energy industry, states and interagency partners to provide situational awareness and support response efforts to this incident."
The agency is also "monitoring any potential impacts to energy supply," the spokesperson said.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said: "We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector."
The complex bureaucracy has long been a bane to some policymakers and is likely to come up again as the Biden administration weighs major changes to U.S. cybersecurity policy.
FERC Commissioner Neil Chatterjee (R) has warned for years about the U.S. grid's dependence on natural gas.
"I am concerned that, because of our nation's growing use of natural gas for power generation, a successful cyberattack on the natural gas pipeline system could have a significant impact on the electric grid," Chatterjee said in testimony before the Senate Energy and Natural Resources Committee in 2019.
Glick and Chatterjee penned an op-ed for Axios in 2018 calling for stricter oversight of gas pipelines.
The two wrote that DOE should be in charge of gas pipeline security oversight and not TSA, citing the few full-time employees at TSA who are tasked with reviewing the security of the millions of miles of pipelines around the U.S. They also pointed to TSA's decision to rely on voluntary cybersecurity standards.
"Given the high stakes, Congress should vest responsibility for pipeline security with an agency that fully comprehends the energy sector and has sufficient resources to address this growing threat," Glick and Chatterjee wrote.
Shortly after the Colonial cyberattack was announced, Chatterjee re-upped the Axios op-ed, tweeting that "we must rethink the @TSA voluntary approach to #cybersecurity."
Lawmakers have joined in the chorus as well. Sen. Ed Markey (D-Mass.) called for regulatory change on Saturday, tweeting that "an understaffed, underprepared TSA cannot successfully ensure the security of dangerous and susceptible natural gas pipeline infrastructure."
"The Transportation Security Administration had only six full-time staff on pipeline security as recently as 2019. We cannot ignore the longstanding inadequacies that allowed for, and enabled, cyber intrusions into our critical infrastructure," Markey wrote.
Asked for comment on Markey's remarks, TSA said in a statement that the agency "has worked in partnership with pipeline owners and operators and interagency partners to enhance the security preparedness of the Nation's hazardous liquid and natural gas pipeline systems."
TSA pointed to several initiatives, including the development of pipeline security guidelines and "voluntary corporate security and critical reviews."
"TSA has expanded its Surface Operations capability to include Transportation Security Inspectors, and is partnered with CISA and Idaho National Labs to provide advanced cybersecurity training," TSA said.
Another issue is the lack of transparency surrounding ransomware attacks, said David White, founder and president of Axio Global, an Atlanta-based cyber risk management company. Few companies are willing to admit when they've been hacked.
"I strongly believe we need more transparency into attacks. That would help everyone understand the risks," White said.
He added that he supports the congressionally chartered Cyberspace Solarium Commission's recommendation last year to create a center within the Commerce Department for sharing cyberthreat information, "not to out individual companies, but to make everyone more aware."
Better public data on risks and threats could create a deeper understanding that helps persuade regulators to support investment in defenses, White said.
Reporter Peter Behr contributed.