And what it means for gas prices.
Hackers have used a ransomware attack to shut a major American oil pipeline down for several days, forcing the Biden administration to declare a regional state of emergency to keep some of the oil supply moving until pipeline goes back up. The cyberattack looks to be the largest ever on an American energy system, and yet another example of cybersecurity vulnerabilities that President Biden has promised to address.
The Colonial Pipeline Company reported on May 7 that it was the victim of a “cybersecurity attack” that “involves ransomware,” forcing the company to take some systems offline and disabling the pipeline. The Georgia-based company says it operates the largest petroleum pipeline in the United States, carrying 2.5 million barrels a day of gasoline, diesel, heating oil, and jet fuel on its 5,500-mile route from Texas to New Jersey.
The pipeline supplies nearly half of the East Coast’s fuel supply, and a prolonged shutdown could cause price increases and shortages and ripple across the industry. Colonial said on Monday that it hoped to “substantially restore” its operations by the end of the week and minimize disruption caused by the shutdown. According to the Washington Post, a weeklong stoppage could cause a small, temporary increase on gas prices.
A hacker group called DarkSide, believed to be based in Eastern Europe, has claimed credit for the attack. DarkSide does not appear to be linked to any nation-states, saying in a statement that “our goal is to make money, [not to create] problems for society” and that is apolitical. It’s not known how much money the hackers are demanding, nor how much, if anything, Colonial has paid — assuming it’s willing to pay anything.
Ransomware attacks generally use malware to lock companies out of their own systems until a ransom is paid. They’ve surged in the last few years and cost billions of dollars in ransoms paid alone — not counting those that aren’t reported and any associated costs with having systems offline until the ransom is paid. Ransomware attacks have targeted everything from private businesses to the government to hospitals and health care systems, which make for especially attractive targets given how urgent it is to get their systems back up as soon as possible.
Energy systems and suppliers have also been a target of ransomware and cyberattacks. The cybersecurity of America’s energy infrastructure has been a particular concern in recent years, with the Trump administration declaring a national emergency in May 2020 meant to secure America’s bulk power system with an executive order that would forbid the acquisition of equipment from countries that pose an “unacceptable risk to national security or the security and safety of American citizens.”
Details on how the hackers were able to gain access to Colonial’s systems haven’t been made public yet, but Bloomberg reports that the attack began on May 6, with nearly 100GB of data stolen before Colonial’s computers were locked up. A ransom was demanded, both to stop the data from being leaked on the internet and to unlock the affected systems.
With the pipeline down, the pipeline company and its fuel suppliers are hoping that fuel trucks and possibly tankers will make up for some of the shortage. Emergency waivers were given by the Department of Transportation to extend driver hours for trucks and some companies are looking into chartering tankers to deliver the fuel by ship. The latter option would likely mean waiving the Jones Act, a 1920 law that requires domestic shipping to be done on ships that are built, owned, and operated by American citizens or permanent residents. This has been done for other temporary fuel crises, for example in the wake of Hurricanes Katrina, Rita, and Sandy. But these measures still won’t be enough to completely replace the oil that the pipeline delivers.
The attack gets at two of the Biden administration’s stated priorities: improving American infrastructure and cybersecurity. After the Russian SolarWinds hack, which affected multiple government systems, then the president-elect Biden said “my administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office … I will not stand idly by in the face of cyber assaults on our nation.”
Biden has also unveiled a $2 trillion infrastructure plan that includes $100 billion to modernize the electrical grid, which would cybersecurity experts hoped would include improved cybersecurity measures. Biden also suspended the Trump bulk power system executive order to roll out his own plan. And he reportedly plans to unveil an executive order soon that will strengthen cybersecurity at federal agencies and for federal contractors.
But these measures are more focused on preventing another SolarWinds-like attack and federal officials told the New York Times that they don’t think the order does enough to prevent a sophisticated attack, nor would it apply to a privately held company like Colonial. The attack might be enough to show the need for cybersecurity standards for companies that play such an important role in Americans’ lives yet are left up to their own devices about the security measures they use to protect those systems.
“Ransomware is about extortion and extortion is about pressure,” James Shank, chief architect of community services at cybersecurity and threat intelligence company Team Cymru, told Recode. “Impacting fuel distribution gets peoples’ attention right away … This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests.”
Assuming the pipeline is back up by the end of the week, it shouldn’t cause a major or prolonged disruption to the fuel supply chain or hit consumers’ wallets too hard. But the next one — and many cybersecurity experts fear there will be a next one, or several next ones — could be a lot worse if measures aren’t taken at the highest levels to prevent them.
“We can not think of these attacks as impacting private companies only — this is an attack on our country’s infrastructure,” Shank added.
