Colonial Pipeline confirms cybersecurity attack, temporarily halts operations

Colonial Pipeline has halted all pipeline operations because of a cybersecurity attack involving ransomware, restricting the primary artery for gasoline and refined products for much of the South and East Coast from delivering more than 100 million gal/d of fuel and heating oil.

"Colonial Pipeline learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems," the company said May 8.

It is unclear when pipeline operations will be fully restored. Colonial stretches more than 5,500 miles from the Houston refining hub to the New York harbor, supplying about 45% of all the gasoline and diesel fuel consumed on the East Coast.

"At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers," Colonial added.

The source of the ransomware attack was not immediately clear.

US government officials are working with the pipeline company on the issue.

The Department of Energy "is coordinating with Colonial Pipeline Company, the energy industry, states, and interagency partners to provide situational awareness and support response efforts to this incident," DOE press secretary Kevin Liao said in an email. "DOE is also working closely with the energy sector coordinating councils and the energy information sharing and analysis centers, and is monitoring any potential impacts to energy supply."

The attack was called the "biggest energy disruption since Abquaiq" by Bob McNally, president of Rapidan Energy Group and former White House adviser, in reference to the September 2019 attack on Saudi Aramco 's giant Abqaiq crude processing plant.

"Let's hope its very temporary," McNally said on Twitter.

Pipelines 'hard to defend'

Leo Simonovich, head of industrial cybersecurity at Siemens Energy, said on Twitter that pipelines are "especially hard to defend."

"In general, legacy systems are often under-maintained, with digital merely bolted-on — that makes them vulnerable," he said.

With an estimated 125 million electric vehicles expected to be on the road within the next decade the "transportation transformation needs sufficient cyber measures taken to protect against hackers," he said.

According to John Cusimano, vice president of aeCyberSolutions, pipeline cybersecurity lags that of other energy industry sectors.

"A common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks which are the networks that connect the pipeline control center to every terminal, pumping station, remote isolation valve, and tank farm along the pipeline," Cusimano said in emailed comments. "These are very large networks covering extensive distances but they are typically 'flat', from a network segmentation standpoint. This means that once someone gains access to the SCADA network they have access to every device on the network."

"The other big challenge with securing pipeline SCADA networks is that they branch into every facility along hundreds of miles of pipeline," he said. "Some of those facilities are in very remote places with little to no physical security meaning that if an attacker breached the security of one of those facilities they could gain access to the network."

In response to the incident, US Senator Edward Markey said in a statement that an "understaffed, underprepared Transportation Security Administration—which had only six full-time staff on pipeline security as recently as 2019—cannot successfully ensure the security of dangerous and susceptible natural gas pipeline infrastructure."

"The federal inability to prevent and effectively respond to cyberattacks turns our pipeline system into a risk for communities and an increasingly vulnerable component of our electricity system," said Markey, a member of the Senate Commerce, Science and Transportation Committee. "While we need more information about the circumstances that allowed the Colonial Pipeline cyberattack, we cannot ignore the longstanding inadequacies that allowed for, and enabled, cyber intrusions into our critical infrastructure."

Price reaction muted, for now

Prior to the announcement, USGC spot refined products prices had weakened slightly on news that Colonial was experiencing unidentified network issues. According to market sources at the time, both main lines of the 2.5 million b/d refined product pipeline system were impacted, stranding barrels of gasoline, diesel and jet on the USGC.

However, the price moves were likely limited at the time as the scope of Colonial's problems were unclear. Also, Colonial said at the time it was "working to restore service as quickly as possible."

S&P Global Platts assessed USGC CBOB at at NYMEX June RBOB futures minus 14.50 cents/gal May 7, down 25 points. USGC ULSD was assessed at the NYMEX June ULSD futures contract minus 4.85 cents/gal, down 5 points.

Colonial ships 1.5 million b/d of gasoline on its Line 1 pipeline and 1.16 million b/d of distillates on its Line 2 pipeline, with both lines ending in Greensboro, North Carolina.

In Greensboro, product is able to continue up to New York Harbor on Lines 3 and 4, ending in Linden, New Jersey.

A long-term pipeline outage would be bullish for USAC prices, likely opening an arbitrage for waterborne imports, as the region is heavily dependent on the Colonial Pipeline for supply.

USAC imports jumped following weather-related Texas refinery outages in February, with 36.7 million barrels of refined products imported in March, up from 25 million barrels in February, Kpler vessel tracking software shows. Roughly 33.5 million barrels are expected to be imported in May so far, Kpler data shows.

An extended outage also has the potential to boost clean tanker rates, and refined products prices overseas. The surge in waterborne imports boosted clean tanker rates following the February refinery outages. The UK Continent-USAC medium range clean tanker market was assessed by Platts at Worldscale 125 May 7, down from w175 in mid-March.

NYMEX New York Harbor-delivered RBOB and ULSD crack spreads edged higher May 7 following news of the Colonial problems. The front-month RBOB crack against ICE Brent ended the day at $21/b, up from $20.49/b the prior day, while the ULSD crack against Brent ended at $16.20/b, up from $15.52/b.

Combined low and ultra low sulfur diesel stocks on the USAC at 39 million barrels the week ended April 30 were 7% below the five-year average, US Energy Information Administration data shows.

USAC gasoline inventories at 64.6 million barrels were 3% below the average.