One of the nation’s largest pipelines, which carries refined gasoline and jet fuel from Texas up the East Coast to New York, was forced to shut down after being hit by ransomware in a demonstration of the vulnerability of energy infrastructure to cyberattacks.
The operator of the system, Colonial Pipeline, said in a statement late Friday that it had shut down its 5,500 miles of pipeline, which it says carries 45% of the East Coast’s fuel supplies, in an effort to contain the breach on its computer networks. Earlier Friday, there were disruptions along the pipeline, but it was not immediately clear whether that was a direct result of the attack or the company’s moves to proactively halt it.
Colonial Pipeline indicated Saturday afternoon that its systems were hit by ransomware, in which hackers hold a victim’s data hostage until it pays a ransom, but it did not say when normal operations would resume. Still, the shutdown of such a vital pipeline, one that has been serving the East Coast since the early 1960s, highlights the vulnerability of aging infrastructure that has been connected, directly or indirectly, to the internet.
In coming weeks the administration is expected to issue a broad-ranging executive order to bolster security of federal and private systems, after two major attacks from Russia and China in recent months caught U.S. intelligence agencies and companies by surprise.
Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into major storage tanks, and with energy use depressed by the coronavirus pandemic, the attack was unlikely to cause any immediate disruptions.
The company said that it learned Friday that it “was the victim of a cybersecurity attack.” Hours after reports of disruptions began to emerge, Colonial issued an updated statement Saturday saying that it had determined that the “incident involves ransomware” and contended that it took down its systems for fear that the hackers may have obtained information from its computer networks that would enable them to attack susceptible parts of the pipeline.
“Colonial Pipeline is taking steps to understand and resolve the issue,” the company said. “Our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway.”
It said it had contacted law enforcement and other federal agencies. The FBI leads such investigations, but critical infrastructure is the responsibility of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
An administration official said that an investigation into the episode was in the very early stages and that it was unclear whether the hacker was a nation or a criminal group. At times, they work in concert. But so far, a senior administration official said, there was no evidence that a nation-state was involved in the attack.
Attacks on critical infrastructure have been a major concern for a decade, but they have accelerated in recent months after two breaches — the SolarWinds intrusion by Russia’s main intelligence service and another against some types of Microsoft-designed systems that has been attributed to Chinese hackers — underscored the vulnerability of the networks on which the government and corporations rely.
For that reason, understanding how the pipeline attack unfolded — and the motivations of those behind it — will become the focus of federal investigators and the White House, which has elevated cybervulnerabilities to the top of its national security agenda.
As a privately held company, Colonial is under less pressure than a public company might be to reveal details. But its initial statement left unclear whether the attack had involved ransomware or was directed at the industrial controls that are used to manage the pipeline — which most large utility operators keep insulated from the internet to reduce their vulnerability — or whether it was a ransomware attack that stole or froze data on Colonial’s computer systems.
People familiar with the investigation said the early indications were that the events had been unfolding for several days. The company has hired the private cybersecurity firm FireEye, which responded to the hacking of Sony Pictures Entertainment, energy facility breaches in the Middle East and many federal government incidents.
The company appears to have brought down activity on the pipeline Friday to prevent the hackers from inflicting more damage. But that left open the question of whether the attackers themselves now have the ability to directly turn the pipelines on or off, or trigger operations that could cause an accident.
The ransomware attack is the second known such incident aimed at a pipeline operator. Last year, the Cybersecurity and Infrastructure Security Agency reported a ransomware attack on a natural gas compression facility belonging to a pipeline operator. That forced a shutdown of the facility for two days, though the agency never revealed the company’s name.
Cybersecurity experts say the rise of automated attack tools and cryptocurrencies, which make it harder to trace perpetrators, has exacerbated such attacks.
“We’ve seen ransomware start hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay,” said Ulf Lindqvist, a director at SRI International, who specializes in threats to industrial systems. “We are talking about the risk of injury or death, not just losing your email.”
So far the effect on fuel prices has been small, with gasoline and diesel futures rising about 1% on the New York Mercantile Exchange on Friday. Prices for regular gasoline at the pump in New York state rose Saturday by a penny, to $3 from $2.99. Over the past week, gasoline prices have risen nationwide by 6 cents, as global oil prices have risen rapidly.
“It’s a serious issue,” said Tom Kloza, global head of energy analysis at Oil Price Information Service. “It could snarl things up because it is the country’s jugular aorta for moving fuel from the Gulf Coast up to New York.”
The Oil Price Information Service reports that U.S. gasoline inventories are at the “comfortable” levels of 235.8 million barrels, nearly 10 million barrels above levels in 2019, before the pandemic reduced demand for fuel. Middle Atlantic and New England states have substantial supplies, the analysis service reported.
Prices at the pump could be affected in different ways depending on the region. If there is a prolonged shutdown, Alabama north through Baltimore will potentially see shortages. However, Midwestern and Ohio Valley states could actually benefit from cheaper shipments from the gulf refineries as the plants divert stranded supplies.
Colonial Pipeline, based in Alpharetta, Georgia, is owned by several U.S. and foreign companies and investment firms, including Koch Industries and Royal Dutch Shell. The pipeline connects Houston and the Port of New York and New Jersey and also provides jet fuel to most of the major airports, including in Atlanta and Washington, D.C.