Major US pipeline network shut down after cyber attack
10 May 2021
A cyber attack on US pipeline operator Colonial Pipeline led to the shut down of its entire network on May 7. The Colonial Pipeline network transports around 2.5 million barrels of gasoline per day – around 45% of the US East Coast’s gasoline, diesel, and jet fuel.
Representative image: Shutterstock
Colonial Pipeline made the decision to close its entire network after learning of the cyber attack which is believed to have involved ransomware. Ransomware is a type of malware that blocks access or threatens to publish data unless a ransom payment is made. One of the most famous examples is the worldwide ‘WannaCry’ ransomware attack in 2017 which affected a number of institutions including the NHS in the UK.
The attack on Colonial Pipeline is not expected to have an immediate effect on oil prices in the US, however a prolonged closure could cause significant problems due to the importance of the 5,500 mile (8,850 km) network of pipelines which carries fuel from refiners on the Gulf Coast to consumers along the US South and East Coast, including several major airports.
In a statement, Colonial Pipeline said it proactively took certain systems offline to contain the threat after learning it was the victim of a cyber attack. Colonial said these actions temporarily halted all pipeline operations and affected some of its IT systems, which it is now actively in the process of restoring.
The pipeline operator is in contact with third-party cybersecurity experts, law enforcement, and other federal agencies, including the Department of Energy which is leading the Federal Government response. “Maintaining the operational security of our pipeline, in addition to safely bringing our systems back online, remain our highest priorities. Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline,” Colonial said.
According to Reuters news agency, Colonial has brought in cyber security firm FireEye to respond to the attack. FireEye has been involved in several high-profile malware responses before, including in 2019 when the company found evidence of ‘Triton’ – a malware linked to an attempt to sabotage a Saudi petrochemical plant in 2017 – in a second, unnamed Saudi critical infrastructure facility. FireEye’s investigation traced the malware, which targets industrial control systems by gaining access and maintaining persistence inside IT and OT networks, to a Russian research laboratory.
The identity of the perpetrator behind the cyber attack on Colonial Pipeline was not officially known until May 10 when the FBI said confirmed that an Eastern European-based cyber criminal gang called DarkSide was to blame. The gang is believed to have encrypted around 100GB of data which it said would be released on the internet if a ransom payment is not made. On its website following the cyber attack, the group wrote: “Our goal is to make money and not creating problems for society.”
US President Joe Biden was briefed about the incident on May 8. The White House Press Secretary Jen Psaki issued a statement saying: “The Administration is continually assessing the impact of this ongoing incident on fuel supply for the East Coast. We are monitoring supply shortages in parts of the Southeast and are evaluating every action the Administration can take to mitigate the impact as much as possible.
On May 9, the US government issued emergency legislation to relax rules on fuel being transported by road. The legislation means fuel truck drivers can now work extra or flexible hours if they are transporting gasoline, diesel, jet fuel, and other refined petroleum products in 18 states across the South and East of the US. While the waiver issued by the Department of Transportation means oil products can be shipped by road, it is not close to matching the pipeline network’s capacity.
During a speech at the White House on May 10, President Biden said he was being given daily updates about the incident. Several news outlets have reported that DarkSide could be a Russian-based organisation as their malware avoids encrypting any computer systems which have the language set as Russian. In his speech, President Biden said these reports were concerning and that he would meet with Russian President Vladimir Putin, although there is no evidence that the Russian state is directly involved.
As of May 11, Colonial’s pipeline network remains largely shut except for some smaller lateral lines between terminals and delivery points. The company has not given any further details of how long the closure would continue.