Ransomware Attack Shuts Down Biggest U.S. Gasoline Pipeline

Article content

(Bloomberg) — The operator of the biggest gasoline pipeline in the U.S. shut down operations late Friday following a ransomware attack that threatens to roil energy markets and upend the supply of gas and diesel to the East Coast.

Colonial Pipeline is working to restore operations and has hired a third-party cybersecurity firm to investigate. The company said in a statement Saturday that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

The U.S. Department of Energy “is monitoring any potential impacts” to supplies, a spokesperson said in an emailed statement on Saturday.

Law enforcement and other federal agencies have been informed. The attack appeared to use a ransomware group called DarkSide, according to Allan Liska, senior threat analyst at cybersecurity firm Recorded Future.

Colonial is a key artery for the eastern half of the U.S. It’s the main source of gasoline, diesel and jet fuel for the East Coast with capacity of about 2.5 million barrels a day on its system from Texas as far as North Carolina, and another 900,000 barrels a day to New York.

Hacking threats to critical infrastructure have been growing, prompting the White House to respond with a plan to try to increase the security of utilities and their suppliers. Pipelines are a specific concern because they play a central role in so many parts of the U.S. economy.

Article content

The latest attack comes as the nation’s energy industry gears up for summer travel and stronger fuel demand as pandemic economic restrictions are eased. It’s also an unpleasant reminder of how a cyber-attack brought down the communications systems of several U.S. natural gas pipelines operators in 2018.

Ransomware cases involve hackers seeding networks with malicious software that encrypts the data and leaves the machines locked until the victims pay the extortion fee, which can range from a few hundred dollars to millions of dollars in cryptocurrency.

Separate Networks

Utilities’ information technology networks, which run email and other routine functions, and operational technology networks, which control the actual functioning of the delivery of electricity or natural gas, are typically kept mostly separate, which is what makes Colonial’s decision to temporarily shut down both so unusual.

An April 2 blog by the cybersecurity firm Cybereason said the people behind DarkSide follow the “double extortion” trend in ransomware, meaning they not only encrypt user data but exfiltrate it and make it public if a ransom payment isn’t made.

Many companies pay the fees and recover their data. But even when that occurs, they may shut down large parts of their networks as a precaution while they restore essential services and hunt for any signs that the hackers had accessed sensitive systems for other reasons including espionage or further destructive attacks.

Article content

The energy department is coordinating with Colonial, the energy industry, states, and interagency partners “to provide situational awareness and support response efforts,” its spokesperson said.

Officials at the Federal Bureau of Investigation, the Department of Justice and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency didn’t respond to requests for comment.

Senator Edward Markey, a Massachusetts Democrat, said the U.S. had been left vulnerable by “an understaffed, underprepared Transportation Security Administration.”

“We cannot ignore the longstanding inadequacies that allowed for, and enabled, cyber intrusions into our critical infrastructure,” Markey said in a statement.

GOP Senator Ben Sasse of Nebraska said the latest intrusion showed that an infrastructure spending package soon to be considered by Congress, should put “the hardening of critical infrastructure” front and center.

Colonial gave an indication during Friday trading that it was having network issues, while two people familiar said they were having a hard time submitting refined product batches, updates or changes to batch deliveries and nominations using their Colonial Pipeline website access. The Colonial website went offline whenever the people tried.

Technical Issues

At the time, Colonial staff informed customers by phone about the technical issues but didn’t say what was causing them.

Article content

The disruption could roil fuel markets Monday if it’s not fixed. The refining margin for a combined barrel of gasoline and diesel, the so-called 321 crack spread, rose 2% Friday after the Colonial interruption. Nymex gasoline futures rose 1.32 cents to settle at $2.1269 per gallon.

The main two Colonial lines out of the Houston refining hub — Lines 1 and 2 from Pasadena, Texas, to Greensboro, North Carolina — have not been full for months with U.S. fuel demand falling to its lowest in decades during the pandemic. That means fuel markets served by the line might be spared supply shortages.

The Colonial system is managed from suburban Atlanta and is jointly owned by Koch and several other energy and investor interests. East Coast fuel markets also are supplied by the Plantation pipeline jointly owned by Kinder Morgan and Exxon; East Coast refineries; and fuel shipments from Eastern Canada and Europe.

©2021 Bloomberg L.P.

Bloomberg.com