Drivers across the southeastern United States have been getting a new sense of the vulnerability of their fuel supplies over the last week, and operators of the Colonial Pipeline ended up paying a ransom to regain control of their system, after a successful cyberattack took out a 5,500-mile pipeline network that runs from Houston to New Jersey and supplies the eastern U.S. with 45% of its fuel.
While the initial news reports on the virtual heist were almost optimistic, the tone quick shifted day by day.
On Saturday, the Washington Post reported that the ransomware attack carried out by DarkSide, a criminal gang based in Eastern Europe or Russia, was “not expected to have an immediate impact on fuel supply or prices”. The paper said federal authorities and a well-known private cybersecurity firm were looking into the hack.
A day later, with Colonial giving no indication of when it might reopen, the New York Times pointed to concerns about fuel supplies. “While the shutdown has so far had little impact on supplies of gasoline, diesel, or jet fuel, some energy analysts warned that a prolonged suspension could raise prices at the pump along the East Coast and leave some smaller airports scrambling for jet fuel,” the Times wrote.
By Monday, Reuters said the pipeline was still days away from restarting operations. “While the impact remains to be quantified, the pipeline shutdown will reduce fuel availability in the near term, push up prices, and force refiners to cut production because they have no way to ship the gas.”
As the week wore on, panic buying set in across much of the region, with Charlotte, North Carolina reporting 71% of its gas stations out of fuel. One motorist made a strong bid for a prestigious 2021 Darwin Award by filling at least one plastic shopping bag with flammable, explosive gasoline and stowing it in the trunk of her car.
But Colonial itself, a subsidiary of the sprawling Koch Industries conglomerate, may have set itself up for what amounts to a corporate Darwin Award, after an outside audit three years ago discovered “glaring deficiencies” and “atrocious” information management practices that left the system open to cyberattack, The Associated Press reports.
“How far the company…went to address the vulnerabilities isn’t clear,” AP writes. “Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.”
Colonial also posted a job ad for a cyber manager last month, Reuters writes.
But the pipeliner still ended up paying a ransom of nearly US$5 million to DarkSide, Bloomberg reported yesterday, citing three sources familiar with aspects of the transaction. “Of course, the guidance from the FBI is not to do that,” said White House Press Secretary Jen Psaki.
Nevertheless, “the company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard,” Bloomberg says.
While DarkSide had helpfully asserted that “our goal is to make money, and not creating problems for society,” the news agency reports the decryption tool the hackers supplied after they received their ransom “was so slow that the company continued using its own backups to help restore the system”.
And the problems with the Colonial Pipeline aren’t limited to cybersecurity.
The system was also the source of a large gasoline spill last August near Huntersville, North Carolina, The Weather Channel reports. The company initially placed the spill at 273,000 gallons, before steadily increasing its estimate to 354,060, then 1.12 million gallons, writes WCNC Charlotte.
Which meant that “what was already one of the worst gasoline spills in the United States appears to be even larger and deeper than earlier estimates,” The Weather Channel says.
Nearly a year later, the episode is still raising local concerns ranging from drinking water quality to property values, WCNC adds.
“It is unacceptable that for eight months Colonial Pipeline has been unable to provide a reliable accounting of the amount of gasoline released into this community,” DEQ Secretary Dionne Delli-Gatti said in a release. “We will take all necessary steps and exercise all available authority to hold Colonial Pipeline accountable for what has become one of the largest gasoline spills in the country.”
The company only found out about the spill after two teenagers spotted it while riding by on all-terrain vehicles, WCNC states. “We have no idea how long this was leaking because current practices clearly do not provide enough safety measures to monitor a leak like this,” said state Sen. Natasha Marcus.
But the same company that saw eight months as an acceptable time span to get a handle on a large local gasoline spill moved far more swiftly to shut down a much bigger operation when its finances were thrown into jeopardy.
“The company halted operations because its billing system was compromised,” CNN reports, “and they were concerned they wouldn’t be able to figure out how much to bill customers for fuel they received. One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time.”
A company spokesperson stated that, “in response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems.” The spokesperson added there was no evidence the hackers had compromised any of the pipeline’s operational systems, CNN says.
Meanwhile, after a week of frenzied news coverage, White House briefings, and what CNN calls a “whole-of-government” response from the Biden administration, there’s a growing sense that one of the country’s biggest pipeline networks may have been brought to its knees by a pack of amateurs.
“DarkSide’s business model is to provide attackers with limited skills the funding and resources they need to actually launch the attacks, providing a platform that both parties can profit off of,” CNN writes. “Among the signs that the hackers were novices is the fact that they chose a high-risk target that deals in a low-margin business, meaning the attack was unlikely to yield the kind of payout experienced ransomware actors are typically looking for.”
But the biggest known attack on U.S. energy infrastructure still shone a harsh light on those systems’ vulnerability to cyberattacks, the Washington Post reports. In Colonial’s case, “legacy assets” across the more than 40-year-old system rely on digital technology “that’s been bolted on top,” Siemens Energy vice president Leo Simonovich told the paper, and “as they get more connected, they also become more vulnerable”.
The Post has more on the challenges in protecting existing infrastructure from new cybersecurity threats.
Much of the reporting over the last week has brought new emphasis to a behind-the-scenes problem that receives steady coverage in industry publications.
“The attack is just the latest episode in which hackers have gone after critical systems such as water plants, oil refineries, chemical plants, or the electric grid—including a notorious incident in which Russia shut off part of Ukraine’s power supply,” Politico writes. “It’s also part of a growing plague involving ransomware, in which hackers demanding payments have crippled targets such as hospitals, police stations, or municipal governments.”
“Warning lights have been flashing for some time now, but this is the most brazen attack on critical infrastructure yet,” Katell Thielemann, a VP analyst at Gartner, told Utility Dive. “It shows a complete lack of norms of engagement and fear of reprisal in the cyber domain when criminal actors feel empowered to target critical assets that underpin the lives of millions.”
Solar and wind farms may also be vulnerable, Grist warns.
“This was not a minor target,” energy researcher and author Amy Myers Jaffe told Politico. “Colonial Pipeline is ultimately the jugular of the U.S. pipeline system. It’s the most significant, successful attack on energy infrastructure we know of in the United States. We’re lucky if there are no consequences, but it’s a definite alarm bell.”
(h/t to the amazing and attentive Adrian Irving-Beer for helping to source details on this story)