Cyberattack forces a shutdown of a top US pipeline
By David E. Sanger, Clifford Krauss and Nicole Perloth
One of the nation’s largest pipelines, which carries refined gasoline and jet fuel from Texas up the East Coast to New York, was forced to shut down after being hit by ransomware in a vivid demonstration of the vulnerability of energy infrastructure to cyberattacks.
The operator of the system, Colonial Pipeline, said in a vaguely worded statement late Friday that it had shut down its 5,500 miles of pipeline, which it says carries 45% of the East Coast’s fuel supplies, in an effort to contain the breach. Earlier Friday, there were disruptions along the pipeline, but it was not clear at the time whether that was a direct result of the attack or of the company’s moves to proactively halt it.
On Saturday, as the FBI, the Energy Department and the White House delved into the details, Colonial Pipeline acknowledged that its corporate computer networks had been hit by a ransomware attack, in which criminal groups hold data hostage until the victim pays a ransom. The company said it had shut down the pipeline itself, a precautionary act, apparently for fear that the hackers might have obtained information that would enable them to attack susceptible parts of the pipeline.
Administration officials said they believed the attack was the act of a criminal group rather than a nation seeking to disrupt critical infrastructure in the United States. But at times, such groups have had loose affiliations with foreign intelligence agencies and have operated on their behalf.
The shutdown of such a vital pipeline, one that has served the East Coast since the early 1960s, highlights the vulnerability of aging infrastructure that has been connected, directly or indirectly, to the internet. In recent months, officials note, the frequency and sophistication of ransomware attacks have soared, crippling victims as varied as the District of Columbia police department, hospitals treating coronavirus patients and manufacturers, which frequently try to hide the attacks out of embarrassment that their systems were pierced.
Colonial, however, had to explain why gasoline and jet fuel were no longer flowing to its customers, and Friday, the markets began to react as speculation swirled about whether an accident, a maintenance problem or a cyberincident accounted for the shutdown.
But Saturday, Colonial, which is privately held, declined to say whether it planned to pay the ransom, which frequently suggests that a company is considering doing so or has already paid. Nor did it say when normal operations would resume.
In the next week or so, the administration is expected to issue a broad-ranging executive order intended to bolster security of federal and private systems, after two major attacks from Russia and China in recent months caught U.S. companies and intelligence agencies by surprise.
Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into large storage tanks, and with energy use depressed by the coronavirus pandemic, the attack was unlikely to cause any immediate disruptions.
The company initially said that it had learned Friday that it “was the victim of a cybersecurity attack,” leading many in the industry and some investigators to believe that the attack might have directly affected the industrial control systems that regulate oil flow. Colonial issued an updated statement Saturday saying that it had determined that the “incident involves ransomware” and contended that it had taken down its systems as a preventive measure.
“Colonial Pipeline is taking steps to understand and resolve the issue,” the company said. “Our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation.”
It said it had contacted law enforcement and other federal agencies. The FBI confirmed that it was involved in the investigation, along with the Energy Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Attacks on critical infrastructure have been a major concern for a decade, but they have accelerated in recent months after two breaches — the SolarWinds intrusion by Russia’s main intelligence service and another against some types of Microsoft-designed systems that has been attributed to Chinese hackers — underscored the vulnerability of the networks on which the government and corporations rely.
For that reason, understanding how the pipeline attack unfolded — and the motivations of those behind it — will become the focus of federal investigators and the White House, which has elevated cybervulnerabilities to the top of its national security agenda.
In a statement Saturday evening, the White House said that President Joe Biden had been briefed on the ransomware attack and its aftermath earlier in the day and that federal officials were working to “assess the implications of this incident, avoid disruption to supply and help the company restore pipeline operations as quickly as possible.” It said it was seeking to make sure others in the fuel industry were moving to protect themselves.
Because it is privately held, Colonial is under less pressure than a publicly traded company might be to reveal details. But as the custodian of a major piece of the nation’s cyberinfrastructure, the company is bound to come under scrutiny over the quality of its protections and its transparency about how it responded to the attack.
People familiar with the investigation said that although Colonial insisted that it became aware of the attack Friday, the events appeared to have unfolded over several days. It has hired private cybersecurity company FireEye, which has responded to the hacking of Sony Pictures Entertainment, energy facility breaches in the Middle East and many events involving the federal government.
Bringing down the pipeline operations to protect against a broader, more damaging intrusion is fairly standard practice. But in this case, it left open the question of whether the attackers themselves now had the ability to directly turn the pipelines on or off or bring about operations that could cause an accident.
The ransomware attack is the second known such incident aimed at a pipeline operator. Last year, the Cybersecurity and Infrastructure Security Agency reported a ransomware attack on a natural gas compression facility belonging to a pipeline operator. That caused a shutdown of the facility for two days, although the agency never revealed the company’s name.
Colonial Pipeline, based in Alpharetta, Georgia, is owned by several American and foreign companies and investment firms, including Koch Industries and Royal Dutch Shell. The pipeline connects Houston and the Port of New York and New Jersey and also provides jet fuel to major airports, including those in Atlanta and the Washington, D.C., area.
So far the effect on fuel prices has been small, with gasoline and diesel futures rising about 1% on the New York Mercantile Exchange on Friday. On average, prices for regular gasoline at the pump in New York state rose Saturday by a penny, to $3 per gallon from $2.99. Over the past week, gasoline prices have risen nationwide by 6 cents per gallon, according to the AAA motor club, as global oil prices have risen rapidly.
“It’s a serious issue,” said Tom Kloza, global head of energy analysis at Oil Price Information Service. “It could snarl things up because it is the country’s jugular aorta for moving fuel from the Gulf Coast up to New York.”
The Oil Price Information Service reports that U.S. gasoline inventories are at the “comfortable” levels of 235.8 million barrels, nearly 10 million barrels above levels in 2019, before the pandemic reduced demand for fuel. Middle Atlantic and New England states have substantial supplies, the analysis service reported.
Prices at the pump could be affected in different ways depending on the region. If there is a prolonged shutdown, areas from Alabama north through Baltimore will potentially see shortages. However, Midwestern and Ohio Valley states could actually benefit from cheaper shipments from the gulf refineries as the plants divert stranded supplies.