RDSA Shell Plc

By Collin Eaton and Dustin Volz 

The main pipeline carrying gasoline and diesel fuel to the U.S. East Coast was shut down by its operator after being hit with a cyberattack.

Colonial Pipeline Co. operates the 5,500-mile Colonial Pipeline system taking fuel from the refineries of the Gulf Coast to the New York metro area. It said it learned Friday that it was the victim of the attack and "took certain systems offline to contain the threat, which has temporarily halted all pipeline operations."

The outage isn't expected to have a significant impact on fuel markets unless the pipeline remains shut down for several days, analysts said.

In an update Saturday afternoon, the company said it has found that the cyberattack on Colonial involved ransomware, a type of code that attempts to seize computer systems and demand payment from the victim to have them unlocked.

Two people briefed on the probe said the attack appeared to be limited to information systems and hadn't infiltrated operational control systems, but cautioned that the investigation was in its early stages.

The company said it had engaged a third-party cybersecurity firm to help with the issue, which affected some of its IT systems, and had contacted federal agencies and law enforcement.

FireEye Inc., a U.S.-based cybersecurity firm, is investigating the attack, according to people familiar with the matter. A FireEye spokesman declined to comment.

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency, which works with critical infrastructure companies on cyber defense, didn't immediately respond to requests for comment.

It wasn't clear whether the attack was perpetrated by a nation-state actor or criminal actor. Attributing cyberattacks is difficult and can often take months or longer.

The Colonial Pipeline is the largest refined-products pipeline in the U.S., transporting more than 100 million gallons a day, or roughly 45% of fuel consumed on the East Coast, according to the company's website. It delivers fuels including gasoline, diesel, jet fuel and heating oil and serves U.S. military facilities.

"At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation," the company said in a statement. "This process is already under way, and we are working diligently to address this matter and to minimize disruption to our customers."

Colonial spokeswoman Kelsey Tweed said the company didn't have further details to provide at this time.

Privately held Colonial is owned by several entities, including units of investment firm IFM Investors, Koch Industries Inc., KKR & Co. Inc. and Royal Dutch Shell PLC. KKR declined to comment. IFM, Shell and Koch didn't immediately respond to requests for comment.

Inventories of gasoline have been readied for the summer driving season and usually get replenished every five to six days. But if the pipeline remains offline for days, shortages at terminals that receive fuel in the southeastern U.S. and Atlantic Coast markets could begin to affect retail stations and consumers, said Andy Lipow, president of consulting firm Lipow Oil Associates in Houston.

"It's similar to a hurricane event where the pipeline gets shut down, so if it's for a day or two then the impact will be mitigated," Mr. Lipow said.

The fuel artery is critical to supplying the northeastern U.S. and other markets, and extended shutdowns of the pipeline have caused fuel prices to jump.

Fuel prices rose in 2016 following a Colonial pipeline leak in Alabama that closed the conduit, as they did in 2008 when Hurricane Ike smashed into the Gulf Coast.

It is also among the many aging U.S. pipelines that were built before 1970, having started full operations in 1964.

An outage lasting more than five days could have sharp consequences for fuel supplies, particularly in the southeast U.S., as inventory levels there are fairly tight, said Tom Kloza, global head of energy analysis for Oil Price Information Services, or OPIS, an IHS Markit company.

"If you were looking at the top 20 public targets that you could really wreak havoc with by screwing with the software, the Colonial Pipeline is in that group," Mr. Kloza said. "It's a big deal."

Still, areas along the northern Atlantic Coast have ample fuel supplies amid a rise in foreign imports, particularly from Europe, he said.

Cyberattacks targeting critical infrastructure or key companies, some by suspected foreign actors, have become a growing area of concern for the U.S. national security officials.

Russian hackers, for example, have been blamed by Western intelligence agencies for temporarily downing parts of Ukraine's power grid in the winter. Pipelines have long been viewed as an area of concern for these kinds of attacks, in part because halting their operations can have immediate impact.

President Biden in April announced punitive measures against Russia, blaming suspected Russian agents for a month-long hack of the U.S. government and some of America's biggest corporations.

That attack involved SolarWinds Corp. , a network-management technology firm whose software was one of the primary entry-points for the hackers, but extended beyond its software. It has been described as one of the worst instances of cyber espionage in U.S. history.

U.S. officials in recent months have ramped up warnings about such hacks. The number of ransomware incidents has risen dramatically during the coronavirus pandemic, cybersecurity experts say, targeting schools, hospitals and companies.

On Wednesday, Homeland Security Secretary Alejandro Mayorkas said his agency is dedicating more resources to counter ransomware aimed at locking up government and private-sector computer networks. And the Justice Department last month announced a new task force dedicated to ransomware.

"The threat is real. The threat is upon us. The risk is to all of us," Mr. Mayorkas said.

Mike Chapple, a cybersecurity expert at the University of Notre Dame and former National Security Agency official, said the Colonial Pipeline attack appeared to show the hackers were "extremely sophisticated" or that the systems weren't properly secured.

"This pipeline shutdown sends the message that core elements of our national infrastructure continue to be vulnerable to cyberattack," Mr. Chapple said.

If the attack originated from malware or ransomware that infected systems, potentially inadvertently, then network issues could be fixed in a matter of days or weeks, depending on how well prepared Colonial was to respond to an attack, said Grant Geyer, chief product officer of software firm Claroty, which specializes in industrial cybersecurity.

But if a nation-state directed the attack, it would require an extensive cybersecurity response to fix vulnerabilities that could serve as a "backdoor" for infections later.

"A lot of the systems that control industrial environments are managed by, in some cases, antiquated Windows systems that are rife with vulnerabilities," Mr. Geyer said, adding the problem is particularly acute in the energy industry.

Miguel Bustillo and David Uberti contributed to this article.

Write to Collin Eaton at collin.eaton@wsj.com and Dustin Volz at dustin.volz@wsj.com

(END) Dow Jones Newswires

May 08, 2021 17:09 ET (21:09 GMT)

Copyright (c) 2021 Dow Jones & Company, Inc.