Colonial attack highlights particular vulnerability of pipelines from cyberthreats

Houston — The successful cyberattack of the main artery of the US' fuel supply show how energy pipelines are acutely vulnerable in an underregulated sector with many remote field locations potentially exposed to attacks, cybersecurity experts said.

The temporary shutdown of the Colonial Pipeline system from ransomware knocked offline the daily delivery of 100 million gallons of fuel and heating oil to the South and East Coast just ahead of the busy summer driving season, although the pipeline network is expected to be substantially back online by the end of the week.

Related coverage

Colonial Pipeline expects to restore most service by end week

Some Colonial Pipeline laterals open but mainlines remain down

Colonial Pipeline closure seen boosting European clean products

Colonial stretches more than 5,500 miles from the Houston refining hub to New York Harbor, supplying about 45% of all the gasoline and diesel fuel consumed on the East Coast.

"This is a wake-up call to industry, and now the pipeline sector, that these threats are real and the would-be attackers will find a way," said John Cusimano, vice president of aeCyberSolutions, which conducts risk assessments for pipelines and other sectors.

The midstream energy space has cybersecurity guidelines from Transportation Security Administration, but they are voluntary and were last updated in 2018. The utility sector overseeing the power grid has more stringent regulation. Cusimano told S&P Global Platts that said regulations for the pipeline sector are clearly lacking and that a federal response comparable to the 2010 Deepwater Horizon tragedy in the Gulf of Mexico may be required.

"As in past crises, the path from 'outage' to 'outrage' may only be a matter of time," ClearView Energy Partners said in a note, citing the political response.

As US Senator Ed Markey, Democrat-Mass., complained, the TSA only has six full-time workers dedicated to pipeline security nationwide.

"The federal inability to prevent and effectively respond to cyberattacks turns our pipeline system into a risk for communities and an increasingly vulnerable component of our electricity system," Markey said in a statement.

President Joe Biden on May 10 emphasized the need for more spending on cybersecurity as part of the negotiations around his $2 trillion American Jobs Plan. "We need to invest to safeguard our critical infrastructure," he said.

In addition to the weaker oversight, pipelines also are more vulnerable to attacks because they stretch thousands of miles and have lots of remote field offices that that the systems connected. Those remote locations are particularly at risk because they often rely on outdated technology and equipment, Cusimano said.

"There does seem to be a lack of investment particularly in the field sites is what we've seen. It's out of sight, out of mind," Cusimano said. "They may not recognize the issues they have out in the fields from where they sit. It can be quite eye opening to them."

Long time coming

The cybersecurity risks to the nation's energy sector has been known for some time, but pure volume of attacks and advancing techniques have stayed ahead of the investments in cyber defense. And this cyberattack hit an oil and gas industry whose digital capabilities have been layered on top of old, legacy infrastructure and systems.

Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy, said that digital transformation -- which the pandemic has accelerated -- compounds cyber risks for all energy producers. And yet the oil and gas sector is far behind utilities in defending against those threats.

"What this attack shows us is that we need to continue to be hyper-vigilant, that we need to pay more attention to industrial cyber, that we need more innovative solutions for this space that are purpose-built, and we need to do it all in the context of the energy transition," Simonovich said in an interview.

In a recent study with the Ponemon Institute, Siemens found 56% of global utilities companies surveyed reported at least one attack involving loss of private information or an operational outage in the last month, with 4% reporting 10 or more such attacks. More than half of respondents expected an attack on critical infrastructure in the next year.

The rate of attacks are growing from both state-sponsored attacks and hacker groups trying to collect ransoms. The Colonial ransomware attack was connected to the DarkSide criminal organization, according to media reports. Although DarkSide has been linked to Russia, the group contends it is apolitical.

Biden said there is no evidence yet that the Russian government was involved in the attack, but the hackers are in Russia. "They have some responsibility to deal with this," Biden said, adding that he plans to meet with Russian President Vladimir Putin soon.

Busy driving season

This attack also comes as global oil demand and US fuel consumption are on the rise as the nation's vaccine rollout has boosted the economy amid the ongoing coronavirus pandemic.

Gasoline demand rose 78,000 b/d in February from January, using monthly Department of Energy data. Using weekly DOE data, demand improved further by about 786,000 b/d for March over February, but growth slowed to 294,000 b/d in April, according to S&P Global Platts Analytics.

A prolonged Colonial outage would turn into a "nightmare" scenario ahead of the busy summer driving season, triggering widespread fuel shortages and huge price spikes, said Patrick DeHaan, head of petroleum analysis for GasBuddy. Such a nightmare would ripple into partially refinery closures -- some Gulf Coast refineries already have reduced run rates -- and the removal of drilling rigs from the nation's oilfields.

"The longer the problem continues, the more it will likely affect motorists," DeHaan said in an email. "Once the pipeline restarts, it will take days for normal conditions to occur. If motorists hoard gasoline, the problem may stretch for several weeks with continued outages and further pricing impacts."