Security and Resilience (Cyber and Physical)

Key U.S. energy pipeline company hit by ransomware attack

Colonial Pipeline on May 7 learned it was the victim of a cybersecurity attack and it has since determined that this incident involves ransomware.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” the company said on May 8 in a statement.

“Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies,” Colonial Pipeline said.

Georgia-based Colonial Pipeline said it is taking steps to understand and resolve this issue.

Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor.

The company transports 2.5 million barrels per day of gasoline, diesel, jet fuel and other refined products through 5,500 miles of pipelines linking refiners on the Gulf Coast to the eastern and southern United States, Reuters noted in a story about the attack.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline,” Colonial Pipeline said in the statement.

Over the past 48 hours, Colonial Pipeline personnel have taken additional precautionary measures to help further monitor and protect the safety and security of its pipeline, it said on Sunday, May 9.

“The Colonial Pipeline operations team is developing a system restart plan. While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” it said.

Biden declares emergency

The White House declared a state of emergency on Sunday tied to the ransomware cyberattack, the BBC reported. The emergency status enables fuel to be transported by road, the BBC said.

A number of media outlets reported that the attack was carried out by DarkSide. “The cyberextortion attempt that has forced the shutdown of a vital U.S. pipeline was carried out by a criminal gang known as DarkSide that cultivates a Robin Hood image of stealing from corporations and giving a cut to charity, two people close to the investigation said Sunday,” the Christian Science Monitor reported.

The Federal Bureau of Investigation (FBI) on May 10 confirmed that the Darkside ransomware "is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation."

On CBS News’ “Face the Nation,” Secretary Gina Raimondo on May 9, said that “This is what businesses now have to worry about, and I will be working very closely with Ali Mayorkas on this. It's a top priority for the administration. Unfortunately, these sorts of attacks are becoming more frequent,” she said. “They're here to stay and we have to work in partnership with businesses” to secure networks, “to defend ourselves against these attacks. As it relates to Colonial, the president was briefed yesterday. It's an all hands on deck effort right now. And we are working closely with the company, state and local officials to, you know, make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply.”

The Department of Homeland Security (DHS) “is monitoring the ransomware incident affecting Colonial Pipeline. Every organization must be vigilant and strengthen its cybersecurity posture against ransomware and other types of cyber-attacks,” said Alejandro Mayorkas, DHS Secretary, said in a May 8 tweet.

“We are engaged with the company and our interagency partners regarding the situation. This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” said Eric Goldstein, Executive Assistant Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency, which is part of the DHS.

“This incident highlights that ransomware continues to be a significant issue facing all critical infrastructure sectors. While this incident did not involve an electric utility, the relevance to the electricity subsector cannot be understated,” said Sam Rozenberg, Senior Director of Security and Resilience at the American Public Power Association.

Ransomware is a very familiar threat to the public power segment of the industry and APPA held a webinar on April 21st of this year, with the Cybersecurity and Infrastructure Security Agency. The slide deck and the recording can be accessed here. Additionally, the Electricity Information Sharing and Analysis Center (E-ISAC) in February of this year released a report labeled Ransomware Trends for Utilities and APPA encourages public power utilities to review this resource.

APPA continues to stress the importance of public power utilities joining the E-ISAC for timely and actionable sharing of threats to the electricity subsector. To learn more about the E-ISAC and how to join, visit the E-ISAC website or contact E-ISAC Member Services.

Any questions can be directed to: [email protected].