The ransomware attack that forced the closure of the largest U.S. fuel pipeline this weekend showed how cybercriminals pose a far-reaching threat to the aging, vulnerable infrastructure that keeps the nation’s energy moving.
Colonial Pipeline Co. closed its entire 5,500-mile conduit carrying gasoline and other fuels from the Gulf Coast to the New York metro area Friday as it moved to contain an assault that involved ransomware, code that holds computer systems hostage. So far, no evidence has emerged that the attackers penetrated the vital control systems that run the pipeline, according to people familiar with the matter.
But the consequences of an infection spreading to that deeper layer are dire for any energy company. Many machines that control pipelines, refineries and power plants are well past their prime, have few protections against sophisticated attacks and could be manipulated to muck with equipment or cause damage, cybersecurity experts say.
Last year, a ransomware attack moved from a natural-gas company’s networks into the control systems at a compression facility, halting operations for two days, according to a Department of Homeland Security alert. The company, which Homeland Security didn’t name, didn’t have a plan to respond to a cyberattack, the agency said.
The Colonial ransomware attack is a high-profile example of the online assaults that U.S. companies, schools, hospitals and other organizations now face regularly. It should also serve as a wake-up call for the energy industry’s particular exposure, according to consultants and others who work with companies to shore up cybersecurity.
U.S. and industry officials have known for years about such problems surrounding the nation’s energy infrastructure. A cybersecurity unit of Homeland Security said in 2016 it had worked to identify and mitigate 186 vulnerabilities throughout the energy sector, the most of any critical-infrastructure industry that year. In 2018, federal officials warned that hackers working for Russia had infiltrated the control rooms of U.S. electric utilities.
The energy industry is a big target. The U.S. has roughly 2.5 million miles of pipelines. Across that vast network are hundreds of thousands of devices — sensors that take myriad readings, valves that help control flow and pressure within a pipeline and leak detection systems — and all are vulnerable to attack, security experts said.
Refineries have even more valves and sensors than big pipelines, and there are about 135 of those across the country. That doesn’t include electric utilities and all the components of the sprawling power grid.
Colonial ferries 100 million gallons a day of gasoline, diesel and other refined petroleum products from the country’s chief refining corridor along the Gulf Coast to Linden, N.J. It transports roughly 45% of the fuel consumed on the East Coast, according to the company’s website.
Curtis Smith, a spokesman for Royal Dutch Shell PLC, one the owners of the Colonial Pipeline, said Sunday it is still too early to “be specific about potential impacts to product flow.” He said Shell is actively engaged with Colonial.
The trade group American Petroleum Institute said it was closely monitoring the pipeline situation and that cybersecurity is a top priority for the energy industry.
API members are engaged continuously with the Transportation Security Administration, Cybersecurity and Infrastructure Security Agency and the Department of Energy to “mitigate risk and fully understand the evolving threat landscape,” said Suzanne Lemieux, API’s manager of operations security and emergency response policy.
The type of attack that occurred against Colonial Pipeline is becoming more frequent and is something that businesses need to be concerned with, Commerce Secretary Gina Raimondo said Sunday.
The attacks are “here to stay and we have to work in partnership with businesses to secure networks, to defend ourselves against these attacks, ” she said on CBS’s “Face the Nation.” Specific to the Colonial attack, “it’s an all-hands-on-deck effort right now.”
As of Sunday afternoon, Colonial had not said when it expected to restart the pipeline. It had not made any public statements about the shutdown since Saturday.
Analysts said a closure of the pipeline for a few days shouldn’t have dramatic market impacts, because inventories of gasoline have been readied for the summer driving season and usually get replenished every five to six days. But if the pipeline remains offline for five days or longer, shortages could begin to affect retail stations and consumers along the East Coast, they said.
According to a report by an International Business Machine Corp. unit, energy companies in 2020 sustained the third-most attacks of any industry, up from ninth the previous year, as cybercriminals ramped up assaults on firms with software connected to operational control systems.
The industry is ill-prepared for such attacks, security experts said. Some operational technologies — for physical systems like pipelines and the electric grid — have protocols that predate those for the internet, said Padraic O’Reilly, co-founder and chief product officer of Boston-based CyberSaint Security, who works with pipelines and critical infrastructure on cybersecurity.
“There are just as many [operational technology] vulnerabilities as there are IT vulnerabilities, but they’re scarier in a way because they can go cyber to physical,” Mr. O’Reilly said, noting the energy sector has the most physical infrastructure of any industry that his company works with.
These weak spots have been known for years, but most energy companies have only recently begun to implement defenses, such as firewalls, to protect control systems, said Raymond Sevier, a technical solutions architect with Cisco Systems Inc., who focuses on industrial systems.
The control systems were considered safe for years because they weren’t connected to the internet, but hackers have found ways to penetrate them through unsecured remote access and networked systems. Many companies have older, vulnerable Windows platforms still embedded within energy facilities, and efforts to implement cybersecurity measures rarely move beyond the pilot-program stage, Mr. Sevier said.
Because many industrial facilities run around the clock, it isn’t easy to take down plants to patch outdated systems, keeping older machines in place and providing “the perfect path for cyber pathogens” once they are connected to company networks, said Grant Geyer, chief product officer of Claroty Ltd., a cybersecurity company that specializes in critical infrastructure environments.
Energy companies and other firms that operate infrastructure have invested heavily in recent decades to automate their processes and reduce costs, said Mark Montgomery, former executive director of the Cyberspace Solarium Commission, a bipartisan policy group formed by Congress.
“It’s not matched by a similar investment in cybersecurity,” Mr. Montgomery said. “It’s creating a lot of risk and vulnerability that, obviously, criminals can exploit.”
Two people briefed on the Colonial Pipeline probe said the attack appeared to be limited to information systems and had not infiltrated control systems. U.S. cybersecurity firm FireEye Inc. was investigating the attack, according to people familiar with the matter.
It’s unclear how long it could take to bring the Colonial Pipeline back into service, said Robert M. Lee, founder of the industrial cybersecurity firm Dragos Inc.
IT security incidents can typically take days to resolve, while an attack on control systems can take weeks, given the average age and complexity of those technologies and their proximity to core operations, Mr. Lee said.
Many companies, Mr. Lee said, have underinvested in operational technology security, and U.S. officials have largely pushed firms to focus on measures to prevent attacks. That approach has left gaps in some businesses’ ability to detect and respond to successful hacks, he said.
“Everything we’ve told our asset owners has been focused on preventive [security],” he said. “We need to shift that and focus on the whole approach.”