A shutdown that lasts more than a few days could send gasoline prices in the Southeastern U.S. spiking above $3 a gallon, market analysts said. That could deepen the political risks the incident poses for Biden, stealing momentum from his efforts to center the nation’s energy agenda on promoting cleaner sources and confronting climate change.
That means much depends on how quickly Colonial can restart the pipelines — which depends in large part on whether the company’s cyber consultants can determine that it’s safe to do so.
“They’ll learn that in the first 24 to 72 hours,” said Rob Lee, CEO of the cybersecurity firm Dragos and an expert in the risks to industrial computer systems. He added that if the attack was limited to Colonial’s business computer systems, “I think it’s going to be relatively short-lived.”
Even so, the attack is just the latest episode in which hackers have gone after critical systems such as water plants, oil refineries, chemical plants or the electric grid — including a notorious incident in which Russia shut off part of Ukraine’s power supply. It’s also part of a growing plague involving ransomware, in which hackers demanding payments have crippled targets such as hospitals, police stations or municipal governments.
This could be the most serious successful attack the U.S. has faced yet.
“This was not a minor target,” said Amy Myers Jaffe, a long-time energy researcher and author of Energy’s Digital Future. “Colonial Pipeline is ultimately the jugular of the U.S. pipeline system. It’s the most significant, successful attack on energy infrastructure we know of in the United States. We’re lucky if there are no consequences, but it’s a definite alarm bell.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency believes that the intrusion is the work of the criminal ransomware gang known as Darkside and not a nation-state, according to a security researcher who requested anonymity to speak freely. Agencies including the FBI, Energy Department and the Federal Energy Regulatory Commission were also responding to the incident, while lawmakers on committees such as Senate Homeland and House Intelligence have requested briefings.
CISA — which has lacked a permanent chief since then-President Donald Trump fired the last one in November — said in a statement Saturday that it is “engaged” with Colonial and other federal agencies in addressing the incident. “We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” said Eric Goldstein, the executive assistant director of the agency’s cybersecurity division.
Biden last month nominated national security veterans to lead both CISA and a newly created White House office that is supposed to guide the president’s cyber strategy and oversee agencies’ digital security. POLITICO has previously reported on some lawmakers’ complaints that Biden was slow to fill the latter role.
Sen. Ben Sasse (R-Neb.) said Saturday that the attack is the latest indication that the government isn’t ready for potentially debilitating cyber strikes.
“There’s obviously much still to learn about how this attack happened, but we can be sure of two things: This is a play that will be run again, and we’re not adequately prepared,” Sasse said in a statement. “If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors — rather than progressive wishlists masquerading as infrastructure.”
The government agency with direct jurisdiction over pipeline cybersecurity is DHS’ Transportation Security Administration, which government auditors have criticized as understaffed and unprepared for the task.
Sen. Ed Markey (D-Ma.) said the federal government has long failed to devote the needed attention to pipeline security, and he pointed to a U.S. Government Accountability Office report that showed the TSA had only six full-time staff on pipeline security as recently as 2019.
“While we need more information about the circumstances that allowed the Colonial Pipeline cyberattack, we cannot ignore the longstanding inadequacies that allowed for, and enabled, cyber intrusions into our critical infrastructure,” he said in a statement.
The FBI and FERC also said they are working with other federal agencies to monitor developments on the cyberattack, while the Department of Energy said it was working with states and the energy sector to monitor any potential fuel shortages. The Pipeline and Hazardous Materials Safety Administration, the branch of the Department of Transportation that investigates pipeline accidents and clears them for restarts after shutdown, did not immediately reply to questions.
Fuel imports into New York Harbor should cushion the blow for drivers in Baltimore and places north, market analysts said. But if Colonial remains down past the start of this coming week, drivers could begin to hoard fuel and prices will rise dramatically even before the normal start of the summer driving season, when prices normally increase.
“Colonial delivers products to terminals every five days,” said Andy Lipow, president of consulting firm Lipow Oil Associates. “There may be some terminals that had been depending on deliveries yesterday, today or tomorrow that will be immediately affected. But on a widespread basis, in four to five days you’ll see signs of impact, especially when consumers get wind of what’s going and start filling up their cars.”
Colonial said it is working to restore its service and return to normal operations. The company said in a statement that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Mandiant, a division of the cybersecurity firm FireEye, is working on the investigation of the Colonial breach, a FireEye spokesperson confirmed in a statement to POLITICO. FireEye is the same company that discovered last year that the federal government and about 100 companies had fallen victim to the massive SolarWinds hacking campaign, which the U.S. has blamed on Russia.
Lee, the Dragos CEO, said a crucial issue is whether the ransomware attack directly infected not just Colonial’s business-side computers — the so-called IT systems — but also its “operational” systems that run the pipelines. If so, he said, the attack “could be much more impactful,” prolonging the shutdown for “days or weeks.”
The incident at Colonial underscores how cyberattacks can disrupt the nation’s critical infrastructure even without directly corrupting that equipment. Infrastructure operators that suffer computer intrusions often shut down certain functions or facilities to prevent the problem from spreading further. In this way, a seemingly minor breach of a payroll or email system can cause cascading effects that prompt companies to halt production, energy distribution, or other important operations.
Improving cybersecurity in the energy sector has been a key task for several federal agencies. Last month, the DOE and CISA launched an initiative to work with industrial control system operations in the electric sector to improve cybersecurity detection.
Colonial Pipeline is the largest refined products pipeline in the United States, transporting 2.5 million barrels per day, and about 45 percent of all fuel consumed on the East Coast, including gasoline, diesel, jet fuel and heating oil.
The pipeline attack could be a litmus for the Biden administration’s overall cyber strategy, which has been slowly taking shape — and, at least in public, has largely focused on responding to Russian and Chinese cyber-espionage campaigns that were wide-ranging but fell short of physical sabotage. So far, the administration’s major tools have been sanctions and indictments, as seen in an executive order that Biden issued last month in response to Russia’s SolarWinds cyber campaign.
The latest development has the potential to put more pressure on the Biden administration and lawmakers as they debate adding cybersecurity funding to the administration’s $2 trillion-plus infrastructure proposal, which has faced scrutiny for lacking funds for those needs.
The nation’s critical energy networks and other critical systems have faced a range of threats, including both cyberattacks and lagging maintenance.
Last year, a crack in Colonial’s pipeline that went undetected for days or weeks leaked 1.2 million gallons of gasoline in a nature preserve near Charlotte, N.C. And in February, hackers gained access to a water treatment facility’s computer system near Tampa, Fla., essentially attempting to poison the water supply with a huge influx lye. Russian military hackers also targeted computer systems belonging to banks, energy firms, senior government officials and airports in Ukraine in June 2017 as a part of the so-called “NotPetya” cyberattack. Federal prosecutors have accused Iranian hackers of trying to infiltrate the controls for a dam in upstate New York.
The Darkside group is a relatively new player in the ransomware space, but it has quickly gained a reputation for patience, competence, sophistication and large ransoms.
“The Darkside ransomware attack campaigns stood out for their use of stealthy techniques, especially in the early stages,” according to the security firm Varonis, which investigated several Darkside breaches. “The group performed careful reconnaissance and took steps to ensure that their attack tools and techniques would evade detection on monitored devices and endpoints.
”The group has claimed that it seeks to breach large companies that can afford to pay hefty ransoms, rather than schools, hospitals and other cash-strapped but increasingly targeted organizations,” Varonis said.
Sam Sabin contributed to this report.