By Collin Eaton, James Rundle and David Uberti
The ransomware attack that forced the closure of the largest
U.S. fuel pipeline this weekend showed how cybercriminals pose a
far-reaching threat to the aging, vulnerable infrastructure that
keeps the nation's energy moving.
Colonial Pipeline Co. closed its entire 5,500-mile conduit
carrying gasoline and other fuels from the Gulf Coast to the New
York metro area Friday as it moved to contain an assault that
involved ransomware, code that holds computer systems hostage. So
far, no evidence has emerged that the attackers penetrated the
vital control systems that run the pipeline, according to people
familiar with the matter.
But the consequences of an infection spreading to that deeper
layer are dire for any energy company. Many machines that control
pipelines, refineries and power plants are well past their prime,
have few protections against sophisticated attacks and could be
manipulated to muck with equipment or cause damage, cybersecurity
Last year, a ransomware attack moved from a natural-gas
company's networks into the control systems at a compression
facility, halting operations for two days, according to a
Department of Homeland Security alert. The company, which Homeland
Security didn't name, didn't have a plan to respond to a
cyberattack, the agency said.
The Colonial ransomware attack is a high-profile example of the
online assaults that U.S. companies, schools, hospitals and other
organizations now face regularly. It should also serve as a wake-up
call for the energy industry's particular exposure, according to
consultants and others who work with companies to shore up
U.S. and industry officials have known for years about such
problems surrounding the nation's energy infrastructure. A
cybersecurity unit of Homeland Security said in 2016 it had worked
to identify and mitigate 186 vulnerabilities throughout the energy
sector, the most of any critical-infrastructure industry that year.
In 2018, federal officials warned that hackers working for Russia
had infiltrated the control rooms of U.S. electric utilities.
The energy industry is a big target. The U.S. has roughly 2.5
million miles of pipelines. Across that vast network are hundreds
of thousands of devices -- sensors that take myriad readings,
valves that help control flow and pressure within a pipeline and
leak detection systems -- and all are vulnerable to attack,
security experts said.
Refineries have even more valves and sensors than big pipelines,
and there are about 135 of those across the country. That doesn't
include electric utilities and all the components of the sprawling
Colonial ferries 100 million gallons a day of gasoline, diesel
and other refined petroleum products from the country's chief
refining corridor along the Gulf Coast to Linden, N.J. It
transports roughly 45% of the fuel consumed on the East Coast,
according to the company's website.
Curtis Smith, a spokesman for Royal Dutch Shell PLC, one the
owners of the Colonial Pipeline, said Sunday it is still too early
to "be specific about potential impacts to product flow." He said
Shell is actively engaged with Colonial.
The trade group American Petroleum Institute said it was closely
monitoring the pipeline situation and that cybersecurity is a top
priority for the energy industry.
API members are engaged continuously with the Transportation
Security Administration, Cybersecurity and Infrastructure Security
Agency and the Energy Department to "mitigate risk and fully
understand the evolving threat landscape," said Suzanne Lemieux,
API's manager of operations security and emergency response
The type of attack that occurred against Colonial Pipeline is
becoming more frequent and is something that businesses need to be
concerned with, Commerce Secretary Gina Raimondo said Sunday.
The attacks are "here to stay and we have to work in partnership
with businesses to secure networks, to defend ourselves against
these attacks, " she said on CBS's "Face the Nation." Specific to
the Colonial attack, "it's an all-hands-on-deck effort right
In response to the Colonial Pipeline shutdown, the
Transportation Department's Federal Motor Carrier Safety
Administration said Sunday that it has issued a temporary hours of
service exemption for trucks transporting gasoline and other
refined products across 17 states, including Georgia, South
Carolina, North Carolina and Tennessee. The move would allow
flexibility for truckers delivering fuel, White House press
secretary Jen Psaki said in a tweet.
On Sunday, Colonial didn't provide a timeline for bringing the
pipeline back into service but said that while its main lines
remained offline, some smaller lateral lines between terminals and
delivery points were once again operational. It said it was working
to restore IT systems and developing a plan to start the pipeline
back up when it had approval from federal regulators.
As markets opened Sunday evening, gasoline futures were up about
1.6% at $2.16 a gallon, after briefly rising more than 3%
Analysts said a closure of the pipeline for a few days shouldn't
have dramatic market impacts, because inventories of gasoline have
been readied for the summer driving season and usually get
replenished every five to six days. But if the pipeline remains
offline for five days or longer, shortages could begin to affect
retail stations and consumers along the East Coast, they said.
According to a report by an International Business Machine Corp.
unit, energy companies in 2020 sustained the third-most attacks of
any industry, up from ninth the previous year, as cybercriminals
ramped up assaults on firms with software connected to operational
The industry is ill-prepared for such attacks, security experts
said. Some operational technologies -- for physical systems like
pipelines and the electric grid -- have protocols that predate
those for the internet, said Padraic O'Reilly, co-founder and chief
product officer of Boston-based CyberSaint Security, who works with
pipelines and critical infrastructure on cybersecurity.
"There are just as many [operational technology] vulnerabilities
as there are IT vulnerabilities, but they're scarier in a way
because they can go cyber to physical," Mr. O'Reilly said, noting
the energy sector has the most physical infrastructure of any
industry that his company works with.
These weak spots have been known for years, but most energy
companies have only recently begun to implement defenses, such as
firewalls, to protect control systems, said Raymond Sevier, a
technical solutions architect with Cisco Systems Inc., who focuses
on industrial systems.
The control systems were considered safe for years because they
weren't connected to the internet, but hackers have found ways to
penetrate them through unsecured remote access and networked
systems. Many companies have older, vulnerable Windows platforms
still embedded within energy facilities, and efforts to implement
cybersecurity measures rarely move beyond the pilot-program stage,
Mr. Sevier said.
Because many industrial facilities run around the clock, it
isn't easy to take down plants to patch outdated systems, keeping
older machines in place and providing "the perfect path for cyber
pathogens" once they are connected to company networks, said Grant
Geyer, chief product officer of Claroty Ltd., a cybersecurity
company that specializes in critical infrastructure
Energy companies and other firms that operate infrastructure
have invested heavily in recent decades to automate their processes
and reduce costs, said Mark Montgomery, former executive director
of the Cyberspace Solarium Commission, a bipartisan policy group
formed by Congress.
"It's not matched by a similar investment in cybersecurity," Mr.
Montgomery said. "It's creating a lot of risk and vulnerability
that, obviously, criminals can exploit."
Two people briefed on the Colonial Pipeline probe said the
attack appeared to be limited to information systems and had not
infiltrated control systems. U.S. cybersecurity firm FireEye Inc.
was investigating the attack, according to people familiar with the
It is unclear how long it could take to bring the Colonial
Pipeline back into service, said Robert M. Lee, founder of the
industrial cybersecurity firm Dragos Inc.
IT security incidents can typically take days to resolve, while
an attack on control systems can take weeks, given the average age
and complexity of those technologies and their proximity to core
operations, Mr. Lee said.
Many companies, Mr. Lee said, have underinvested in operational
technology security, and U.S. officials have largely pushed firms
to focus on measures to prevent attacks. That approach has left
gaps in some businesses' ability to detect and respond to
successful hacks, he said.
"Everything we've told our asset owners has been focused on
preventive [security]," he said. "We need to shift that and focus
on the whole approach."
Eric Morath contributed to this article.
Write to Collin Eaton at email@example.com, James Rundle at
firstname.lastname@example.org and David Uberti at email@example.com
(END) Dow Jones Newswires
May 09, 2021 19:01 ET (23:01 GMT)
Copyright (c) 2021 Dow Jones & Company, Inc.