Al-Attiyah Foundation Research Series
Al-Attiyah Foundation Research Series
Executive Summary
The Colonial Pipeline system
Line |
Size (inch) |
Route |
Fuel |
Capacity, Mbbl/day |
Line 1 |
40 |
Houston-Greensboro, North Carolina |
Gasoline |
1.5 |
Line 2 |
36 |
Houston-Greensboro, North Carolina |
Diesel, heating oil, jet fuel |
1.2 |
Line 3 |
|
Greenboro-Linden, New Jersey |
All |
0.885 |
Line 4 |
32 |
Greensboro-Baltimore |
All |
0.7 |
Spurs |
|
Atlanta-south Georgia; Atlanta-Tennessee;
Greensboro-Raleigh-Durham, North Carolina; Mitchell, central
Virginia-Richmond, Norfolk, Roanoke |
Various |
|
The pipeline also connects to major onward lines in the north-eastern US, to New York and Pennsylvania
Events of the attack
On Friday, May 7, the Colonial Pipeline found it had been hit by ransomware, which encrypts or locks systems until a ransom is paid. The company had to take some systems offline to avoid further damage, and this required it to halt operations. Although it appears its routine corporate IT system, not its operations system, was compromised, the company had to take the pre-emptive measure to avoid possible escalation of further attacks.
The attack was confirmed to be by DarkSide, a hacker-for-hire, which stole 100 gigabytes of Colonial’s data before locking its systems. The group, believed to be based in Russia or Eastern Europe, issued a statement apologizing for the disruption, saying it was apolitical and blaming its client. DarkSide’s ransoms are typically in the single-digit million dollars.
Colonial’s operations are quite complex because of its multiple lines, fuel types, and qualities, and the number of shippers, and the elaborate procedures for capacity nomination. This makes returning to service much more difficult than it would be for a simple crude oil pipeline.
The US government and state governors took various measures to ease the problem, including declaring a state of emergency, waiving fuel quality specifications, and lifting weight and driving hours restrictions for tanker trucks. The Department of Homeland Security was ready to consider requests for waivers of the Jones Act to permit maritime shipments from other US ports.
By May 11, Colonial had returned Line 4 to service under manual control, using existing inventories. On May 12, the company announced it would restart operations, but that it could take several days to return to normal.
Impact
Gasoline shortages began noticeable by May 10th, with Virginia and North Carolina the worst-hit initially (Figure 2). By late on 12th May, Georgia, North Carolina, South Carolina, and Virginia were greatly affected, with between half and two-thirds of stations out of gasoline. Several other states, such as Tennessee, began to see serious effects the same day.
The shortages were driven by three factors:
- The lack of fuel-driven by the pipeline outage itself;
- A lack of diesel, which prevented fuel trucks from making deliveries to stations;
- Panic-buying by motorists who feared running out of fuel.
For instance, Florida, which is mainly supplied by barges from the Gulf Coast, also experienced some shortages, probably due to panic buying. The inland states, such as Tennessee, are likely to be worst-affected as the problem proceeds, as they do not have access to seaborne deliveries.
The lack of offtake capacity would also force Gulf Coast refiners to reduce runs if they exhaust their storage capacity. Even now that Colonial has announced the restart of its operations, it will take about 2 weeks for fuel from Houston to reach the east coast.
Petrol prices jumped 4% on Sunday 9th May and another 1.5% on Monday in response to the news. By 13th May, shortages had begun to multiply, and prices passed $3 per gallon for the first time in six years. Traders have begun booking deliveries from Europe by seaborne tanker.
The temporary spike in prices should be reversed as the pipeline comes back online. European prices may be dragged upwards slightly because of the diversion of tankers. The fuel demand from the affected area should drop below normal for a few days as users draw down their precautionary stocks. Overall, the incident should cause only a slight hit to demand because of reduced driving.
Implications
Cyberattacks cover a range of approaches and motivations. These include financial (ransomware, extortion), espionage (corporate or national), and sabotage (which could be by state, state-sponsored or non-state groups).
The oil and gas industry has been widely suspected to be lax on cybersecurity. Spending on security is low, operational systems are not always “air-gapped” (i.e. they can be connected to the internet, creating vulnerabilities), and in the US, they are regulated by several different agencies with only voluntary guidelines on cybersecurity. The energy industry in general, including electric grids, has also been a target.
Date |
Target |
Actions |
Motive |
2010 |
Stuxnet attack on Iran |
Destroy uranium enrichment centrifuges |
Damage Iran’s nuclear program; US-Israeli
operation |
2012 |
US gas pipelines |
Cyber-intrusions |
Unknown |
April 2012 |
National Iranian Oil Company |
Data affected |
Political? |
August 2012 |
Shamoon attack on Saudi Aramco |
Wiping data |
Iran-backed, political? |
August 2012 |
RasGas, Qatar |
Systems offline |
Unknown |
December 2014 |
Korea Hydro and Nuclear Power |
Data theft and disclosure |
Political, North Korea? |
December 2016 |
Industroyer attack on Ukraine power grid |
1-hour blackout |
Political, Russia-backed? |
January 2017 |
Tasnee, Saudi petrochemical company |
Systems offline |
Political? |
August 2017 |
Triton attack on Sadara, Saudi petrochemical company |
Attempt to trigger an explosion |
Political? |
April 2018 |
4 US gas pipeline companies |
Disrupting customer service |
Probing vulnerabilities, profit? |
June 2019 |
Russian power grid |
Unknown |
Political, US retaliation |
November 2019 |
Pemex, Mexico |
Computer systems affected |
Profit ($5 million ransom demanded) |
December 2020 |
Solarwinds intrusion on US Department of Energy,
other government bodies |
Espionage |
Russian espionage? |
May 2021 |
Colonial Pipeline, US |
Ransomware |
Profit |
Table 2 Notable cyber-attacks on energy companies and infrastructure
As large and wealthy companies operating critical infrastructure, energy companies are an obvious target for both profit-seeking and political-motivated cyberattacks. Attacks on control systems have to be more targeted and specialized than those on generic computer systems, but they have the potential to cause major physical damage.
Work-from-home practices during the pandemic have created additional vulnerabilities. Increasing levels of cloud data storage, remote work, automation, “smart homes”, drones and internet-connected devices are attractive to the energy industry because of reduced costs, greater safety, and enhanced data and capabilities. But they demand much-improved cybersecurity practices, that are not prone to human error and do not overload users. These include biometric and multi-factor authentication, download restrictions, and need-only access. Key data should be saved in at least three locations, one of which is air-gapped.
But intrusions and cyber-attacks will always be possible, particularly against smaller or less well-resourced companies, and by sophisticated government-backed hacking operations with political motives. Current points of geopolitical tensions, such as US-Russia, Russia-Ukraine, US/Israel/GCC-Iran, North-South Korea, and US-China, are obvious points for state-directed hacks and cyberattacks. The level of deniability and difficulty of attribution makes cyber warfare attractive for “grey zone” conflicts. State-directed hackers can claim to be acting for profit or for other political causes or to be from entirely different countries, in order to misdirect possible retaliations.
In the case of a major escalation or an outright military confrontation, it’s likely that cyber would be an immediate weapon. Highly networked societies, like the US and much of East Asia and Europe, are likely to be more vulnerable. Such cyber-attacks could aim to cause major disruption, even serious damage and casualties, by attacking critical power grids, fuel lines, or facilities (such as natural gas processing plants, refineries, petrochemical plants, and nuclear reactors), with explosive and toxic materials.
Conclusions
1. Energy Insights by McKinsey, Colonial Pipeline https://www.mckinseyenergyinsights.com/resources/refinery-reference-desk/colonial-pipeline/
2. Colonial Hacker Group Seeks to Shift Blame for Ransomware, https://www.colpipe.com/news/in-the-news/colonial-pipeline-101-know-colonial
3.Colonial Pipeline System Restart – Update #8: Full System Restart https://cpcyberresponse.com/colonial-pipeline-system-restart-update-8-full-system-restart/