Situation Report: Pipeline security in focus as nearly half of fuel bound for Northeast held hostage by hackers

On Thursday, May 6, 2021 the operator of the Colonial Pipeline – one of the nation’s largest and most important infrastructures for the transportation of refined petroleum fuel products, such as gasoline, diesel, and jet fuels, fell prey to a cyberattack that has halted operations.  According to Bloomberg, “a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours.”

These hackers now hold this data “hostage” as part of a “cryptoviral extortion” technique that has come to be known as a “ransomware” attack. According to the Department of Homeland Security, ransomware “is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”

Today, the FBI confirmed that “the Darkside ransomware is responsible for the compromise.” Numerous cybersecurity researchers believe it is the work of individuals based in Eastern Europe, most likely Russia, since Darkside’s malicious software is not designed to be used against systems coded in the Russian or several other Eastern European languages.

According to Politico,

[T]he attack on the Colonial Pipeline, which runs 5,500 miles and provides nearly half the gasoline, diesel and jet fuel used on the East Coast, most immediately affected some of the company’s business-side computer systems — not the systems that directly run the pipelines themselves” and, thus, the “Georgia-based company said it shut down the pipelines as a precaution.

If Politico is correct, Colonial’s “precautionary” shutdown was likely to ensure security of the supervisory control and data acquisition (SCADA) systems that monitor and control pipeline operations. Compromised SCADAs could potentially result in an attacker manipulating operations in such a manner as to do physical damage to the infrastructure.

On the other hand, if Colonial were to rely on data residing on its “business-side” computers to schedule, monitor, or control the pipeline’s operations, then the shut-down could prove more than simply “precautionary.”

Terrorists, criminals, and even environmental activists have targeted pipelines for years – understanding their importance to logistics, commerce, and the economies of targeted populations. The energy industry relies on pipelines heavily because they are normally one of the safest methods of transporting fuels and are often the most cost-effective means for large volumes headed to predictable destinations.

For example, according to the Congressional Research Service, transporting crude oil via railroad costs are “in the neighborhood of $10 to $15 per barrel compared with $5 per barrel for pipeline.” Additional research demonstrates that costs by overland trucking are reportedly four times higher and six times more likely to cause fatalities than transporting by pipeline.

Department of Transportation regulations limit fuel truck drivers to 11 hours’ worth of drive time daily. Recently the DOT issued a Regional Emergency Declaration to allow fuel trucks in 17 states to drive beyond that limit to make up for the shortfall from the 1.6 million barrels of product daily from the Colonial pipeline, which also services seven airports and multiple Department of Defense (DoD) installations.

Prudence dictates that while the federal government assists Colonial with damage control, it should likewise work to boost cyber and physical protection for the Kinder Morgan’s Plantation pipeline, which parallels much of Colonial’s route and transports fuel from Baton Rouge, Louisiana to the Washington, DC, area with a volume of about .7 million barrels per day. The loss of both pipelines simultaneously would vastly increase economic and societal impacts.

The agency responsible for this type of pipeline security is the Transportation Security Agency (TSA), but 2 years ago the Government Accountability Office (GAO) warned Congress that TSA only has 6 full time employees working pipeline security. “These six staffers are supposed to handle both physical and cybersecurity risk assessments and reviews for over 2.7 million miles of pipeline that carry natural gas, oil, and other hazardous products across all of the United States,” wrote Catalin Cimpanu, a security reporter for ZDNet, at the time.

TSA’s pipeline security guidelines were recently updated just last month, and while these guidelines are helpful to the industry, they are not mandatory.  Over time, the best incentives for the owners and operators to secure their infrastructures from threats and hazards are not likely to come from governments or regulators, but rather large investment capital firms and insurance companies, particularly if those firms cease to insure companies which do not meet cybersecurity standards and best practices.

Control systems cybersecurity expert, Joseph M. Weiss,  explained, “[B]ased on history, Moody’s (and other credit rating agencies) participation may be the only way to get senior management to take appropriate actions to address control system cyber security, and thus, reduce enterprise risk.”

Just last week, the Associated Press reported that AXA, one of Europe’s top five insurers, “will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.”

This sends a strong message to both the private industry defenders and the criminal attackers. Industry cannot count on being “bailed out” and thus must assign a higher priority to cybersecurity, while criminals must change their own calculus by understanding there will be a reduced likelihood that ransoms will be paid.

Ultimately this most recent cyberattack serves as yet another reminder that the government, infrastructure owners, investors, and insurance must all cooperate to protect pipelines and other critical infrastructure from all manner of hazards.