A cyber attack forced the shutdown of one of the largest pipelines in the United States in what appeared to be a major attempt to disrupt the vulnerable energy infrastructure. The pipeline carries refined gasoline and jet fuel up the east coast from Texas to New York.
The system’s operator, Colonial Pipeline, said in a statement late Friday that it had shut down its 5,500-mile pipeline, which carries 45 percent of the east coast’s fuel supplies, in an attempt to curb the breach of its computer networks. There was disruption along the pipeline earlier on Friday, but it was unclear whether this was a direct result of the attack or whether the company is proactively trying to stop it.
Colonial Pipeline has not disclosed whether its systems have been affected by ransomware, in which hackers take a victim’s data hostage until they pay a ransom, or whether it is some other form of cyber attack. However, the shutdown of such an important pipeline that has been in use on the east coast since the early 1960s shows the tremendous vulnerability of aging infrastructure connected directly or indirectly to the Internet.
In the coming weeks, the government is expected to issue a far-reaching order to strengthen the security of federal and private systems after two major attacks from Russia and China in recent months caught American intelligence agencies and companies by surprise.
Colonial’s pipeline transports 2.5 million barrels daily, transporting refined gasoline, diesel fuel, and jet fuel from the Gulf Coast to New York Harbor and major New York airports. Most of it goes to large storage tanks, and since the pandemic has dampened energy consumption, the attack was unlikely to cause immediate disruption.
In the statement, the company said it learned on Friday that it was “a victim of a cybersecurity attack,” but did not provide details. Such an attack could be malware that terminates its operation or ransomware that requires payment to unlock computer files or systems.
“In response, we have proactively taken certain systems offline to contain the threat that has temporarily halted all pipeline operations and impacted some of our IT operations,” the company said regarding information technology systems.
It said it contacted law enforcement and other federal agencies. The FBI is leading such investigations, but critical infrastructure is the responsibility of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. A civil servant said that an investigation into the episode was at a very early stage and that it was unclear whether the attacker was a nation or a criminal group. Sometimes they work together.
Attacks on critical infrastructures have been a major problem for a decade, but have accelerated in the last few months after two security breaches – the penetration of SolarWinds by the main Russian intelligence agency and another attack on some Microsoft-developed systems attributed to Chinese hackers – highlighted the vulnerability of the networks on which government and business rely.
Because of this, understanding how the pipeline attack evolved – and the motivations of those behind it – will be the focus of federal and White House investigators, which has put cyber security vulnerabilities high on its national security agenda.
As a privately held company, Colonial is less under pressure than a public company to reveal details. However, the statement left it unclear whether the first attack was aimed at the industrial controls used to manage the pipeline – which most major utility companies keep isolated from the internet to reduce their vulnerability – or whether it was a ransomware attack traded who stole or frozen data on Colonial’s computer systems.
People familiar with the investigation said the first signs were that it was a ransomware attack and that the events had been happening for several days. The company hired private cybersecurity firm FireEye to respond to Sony Pictures Entertainment hacking, power breaches in the Middle East, and many federal government incidents.
The company appears to have shut down activities in the pipeline on Friday to prevent the hackers from doing more damage. However, this left the question unanswered as to whether the attackers themselves now have the option of switching the pipelines on or off directly or triggering operations that could cause an accident.
If it were a ransomware attack, it would be the second known incident targeting a pipeline operator. Last year, the agency for cybersecurity and infrastructure security reported a ransomware attack on a natural gas compression plant of a pipeline operator. This forced the facility to close for two days, although the agency never disclosed the company’s name.
So far, the impact on fuel prices has been small. On Friday, gasoline and diesel futures on the New York Mercantile Exchange rose around 1 percent. Regular gasoline prices at the pump in New York state rose one cent on Saturday, from $ 2.99 to $ 3. Over the past week, gasoline prices have risen 6 cents across the country as global oil prices have soared.
“It’s a serious problem,” said Tom Kloza, global head of energy analysis for Oil Price Information Service. “It could mess things up because it’s the country’s carotid artery that carries fuel from the Gulf Coast to New York.”
Colonial Pipeline, based in Alpharetta, Georgia, is owned by several US and overseas corporations and investment firms, including Koch Industries and Royal Dutch Shell. The pipeline connects Houston and the ports of New York and New Jersey and supplies jet fuel to most major airports, including Atlanta and Washington, DC
Although both the SolarWinds and Microsoft attacks were initially aimed at stealing email and other data, the nature of the intrusions created “backdoors” that experts say could ultimately allow attacks on the physical infrastructure . So far, it has been assumed that neither effort has resulted in anything other than data theft, although the federal government has hidden concerns that the vulnerabilities could be used for future infrastructure attacks.
The Biden government announced sanctions against Russia for SolarWinds last month and is expected to issue an executive order in the coming days that will take measures to secure critical infrastructure, including calling for more security for providers providing services to the federal government.
The United States has long warned that Russia implanted malicious code on power grids, and the United States responded a few years ago by injecting similar code into the Russian grid.
However, actual attacks on energy systems are rare. About a decade ago, Iran was blamed for an attack on the computer systems of Saudi Aramco, one of the world’s largest oil producers, in which 30,000 computers were destroyed. This attack, which appeared to come in response to the US-Israeli attack on the Iranian nuclear centrifuges, had no effect on operations.
Another attack on a Saudi petrochemical plant in 2017 nearly triggered a major industrial disaster. But it was quickly closed, and investigators later attributed it to Russian hackers. That year someone briefly took control of a water treatment plant in a small Florida town in what appeared to be an attempt to poison the supply, but the attempt was quickly stopped.
Clifford Krauss and Nicole Perlroth contributed to the reporting.