May 11, 2021 - Energy & Environment

Pipeline hack spotlights cyber risks to energy systems

Illustration of a computer cursor on an electrical outlet.

Illustration: Aïda Amer/Axios

The ransomware attack against the Colonial Pipeline — the massive East Coast gasoline artery — is a stunning real-world example of the increasing risks that the energy sector faces from a cyberattack.

Why it matters: Different parts of the vast American energy system are vulnerable — from pipelines to power grids to individual power plants and plenty in between.

  • While federal and state agencies, as well as companies, have spent years hardening their systems, the shutdown of the country's largest refined products pipeline, which carries over 100 million gallons per day, shows you can never be too prepared.

Between the lines: Ransomware has a distinct, perhaps less-pernicious goal: to lock users out of a system until they pay to have access restored.

  • Most ransomware victims are put in impossible positions, incurring financial losses while wrestling with the decision of whether to pay the ransom.
  • But as Axios' Felix Salmon noted, the Colonial Pipeline is not your everyday ransomware victim, given its status as critical infrastructure. Instead, the full resources of the U.S. government have been mobilized in the wake of this attack.
  • All the disruption and attention even elicited an apology, of sorts, from DarkSide, the relatively new group the FBI said allegedly perpetrated the hack.
  • “Our goal is to make money and not creating problems for society," the group said in a statement on the dark web.

The big picture: Axios' chief tech correspondent Ina Fried notes the attack highlights a growing dilemma facing cities, utilities and companies: The more that their processes go digital, the more vulnerable they are to financially motivated attacks.

  • Moody's Investors Service, in a note, said pipeline operators have increasingly adopted digital tech to improve their operations.
  • The problem? That also means operators of oil, natural gas and other pipelines are "offering new vectors for cyberattackers."

Threat level: Moody's says the pipeline sector is the oil-and-gas industry's most vulnerable segment.

  • "A cyberattack that disrupts one or more long-haul pipelines would have global supply implications, regardless of the location of the attack," it notes.
  • On the bright side, Moody's says the oil-and-gas sectors' cybersecurity investments have been growing.

Yes, but: Cybersecurity concerns also extend to other elements of the energy system, such as the electrical grid.

  • The expensive and deadly power outages in Texas in February, caused by extreme cold, illustrated what can happen when the power goes out for an extended period.

Of note: The Colonial hack comes about five months after the disclosure of the far-reaching Russian SolarWinds hacking of a vast trove of corporate and government systems.

  • This breach may have compromised parts of the American energy infrastructure.

Driving the news: There are reports that some gasoline stations have run out of fuel.

  • Per GasBuddy analyst Patrick De Haan's Twitter feed, the most widespread outages as of this morning were in Virginia at around 7.6%, and he notes the state-by-state estimates may be low.
  • Via Bloomberg, "From Virginia to Florida and Alabama, fuel stations are reporting that they’ve sold out of gasoline as supplies in the region dwindle and panic buying sets in."
  • AAA reports that the outage has pushed nationwide average gasoline prices to $2.99-per-gallon, the highest since late 2014 (a standing reminder that prices vary by region).

What's next: Colonial Pipeline said Monday that segments are being brought back online in a "stepwise fashion," with the goal of "substantially restoring operational service by the end of the week."

What they're saying: "We are monitoring supply shortages in parts of the Southeast and are evaluating every action the Administration can take to mitigate the impact as much as possible," White House Press Secretary Jen Psaki said in a statement.

What we're watching: Multiple lawmakers have called for the passage of cybersecurity bills in the wake of the attack.

  • "That infrastructure package should have a giant allocation for improving cybersecurity across the United States," energy analyst Amy Myers Jaffe said on the latest Axios Pro Rata podcast.

Go deeper: What to know about the Colonial Pipeline cyberattack

Go deeper