Major US pipeline restarts following cyberattack

AFTER a five-day shutdown, operator Colonial Pipeline Company (CPC) has restarted operations at its major US fuel pipeline system, after reportedly paying a US$5m ransom to cyber-attackers.

The Colonial Pipeline spans more than 5,500 miles (8,047 km) and is the largest refined products pipeline in the US, delivering products such as gasoline, diesel, and jet fuel. Supplying the US East Coast, it transports 2.5m bbl/d of fuel, accounting for about 45% of East Coast supplies.

CPC insists that on learning of the attack on 7 May it took “certain systems” offline to contain the threat, halting all pipeline operations and affecting some IT systems. However, conflicting reports in the New York Times state that events appear to have unfolded over several days.

CPC has reportedly engaged a cybersecurity company – FireEye  – which has launched an ongoing investigation into the incident. US law enforcement and other federal agencies are also investigating.

The FBI has confirmed that an outfit calling itself “DarkSide” created the ransomware used in the attack. DarkSide provides ransomware and related infrastructure to third parties to extort targets. It’s reported that whilst CPC had previously told Reuters it had no intention of paying the ransom, it paid out around US$5m to the cyber-attackers.

Though its four main lines were mostly offline following the attack, CPC announced on 9 May that smaller lateral lines between terminals and delivery points were operational. On 10 May, it added that segments were being brought back online in a stepwise fashion. That same day, CPC announced that Line 4 – which runs through North Carolina and Virginia – was operating under manual control for a limited period.

To keep fuel moving while its pipeline was offline, CPC worked with shippers to deliver 967,000 bbl (as of 11 May), and in preparation for restart it took delivery of an additional 2m bbl from refineries to deploy upon restart.

On 12 May, as it announced restart, CPC said it had put additional security measures in place to protect its pipeline and would not have initiated restart if it did not deem it safe to do so.

As part of startup, CPC said it would be conducting pipeline safety assessments in compliance with all federal pipeline safety requirements.

Resulting fuel shortages

The shutdown led to fuel shortages and panic buying, with consumers worried about a prolonged reduction in supply. The average US gasoline price rose several cents to above US$3/gallon, the highest it’s been since 2014. 

CPC said that following the restart, supply delivery is expected to return to normal within several days, while some markets it serves will experience or continue to experience intermittent service interruptions.

A report from motor group American Automobile Association (AAA) highlighted that the national average gas price is likely to fluctuate in the coming days and States where prices spiked should see some relief as the pipeline becomes fully operational.

US Energy Secretary Jennifer Granholm commented that the restart should mean “things will return to normal by the end of the weekend”.

Improving US cybersecurity

After this attack, the US is taking steps to improve cybersecurity. On 12 May, US President Joe Biden issued an executive order to this effect.

According to the order, “the [US] faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy,” and the “Federal Government needs to make bold changes and significant investments..”

The order is aimed at protecting and securing computer systems whether cloud-based, on-premises, or hybrid. It states that the scope for protection and security must include systems that process data (information technology, or IT) as well as those that run “vital” machinery ensuring safety (operational technology, or OT).

Actions include removing barriers to sharing threat information with executive departments and agencies responsible for investigating or remediating cyber incidents; modernising the Federal Government’s approach to cybersecurity, including adopting security best practices, and investing in technology and personnel; and enhancing software supply chain security.

The order follows a previous one, issued by the Trump administration, which included banning bulk-power system equipment from foreign adversaries and auditing equipment already installed. This was in response to threats to the country’s power system.

According to reports, Darkside was motivated by money, not politics.

In response to the attack, federal agencies have established an interagency group to assess impacts on fuel supply and US energy markets, and assess policy options; a one-week waiver allowing use of fuels that do not meet volatility regulations, in effect until 18 May; and temporary relaxation of pipeline operator qualification rules in areas where resources are limited due to the attack, effective for two weeks from 7 May. This is amongst other actions.

Nikolay Pankov, who blogs for cybersecurity company Kaspersky, commented: “The Colonial Pipeline example shows the advantage of contacting legal authorities – and quickly. There’s no guarantee they’ll be able to help, of course, but it might just minimise the damage.”

Highlighting that the recent attack was targeted at pipeline infrastructure for essential services, Alexandra Meldrum said it has served as a reminder of the pervasiveness of digital technologies as well as security in a modern society.

Meldrum leads IChemE’s learned society Digitalisation Strategic Priority.

She said: “Cybersecurity is so important because it’s integrated into so much of what we do as chemical engineers.

“Our work is changing; traditionally many chemical engineers might have operated more within areas of functional expertise, but the barriers are breaking down between operations and systems.

“IChemE is being proactive. We recognise the increasing integration between IT and OT, between physical processes such as pipes and the systems controlling them. Everything is so interconnected these days, and the changes are exponential. Digital technologies are transforming lives and work. It’s important for all chemical engineers to try and understand the nature of the digital tools that we’re working with, including those involved in cybersecurity, because they’re integral to the workplace and a sustainable future.”

Also a member of IChemE’s Education and Accreditation Forum, Meldrum said that the Learned Society Committee has been working with IChemE’s accreditation experts to help ensure students understand how digital tools are evolving and how they’re changing the nature of chemical engineering. She highlighted that it’s important to incorporate systems thinking and security into future university programmes so that new chemical engineers will have an understanding of interdependency, and the associated dangers and principles when they first begin their careers.

Digitalisation is one of three priority topics along with responsible production and major hazards management that IChemE’s Learned Society has committed to address to 2024.