Cyberattack Forces a Shutdown of a Top U.S. Pipeline

Cyberattack Forces a Shutdown of a Top U.S. Pipeline

A cyberattack forced the shutdown of one of the largest pipelines in the United States, in what appeared to be a significant attempt to disrupt vulnerable energy infrastructure. The pipeline carries refined gasoline and jet fuel up the East Coast from Texas to New York.

The operator of the system, Colonial Pipeline, said in a statement late Friday that it had shut down its 5,500 miles of pipeline, which it says carries 45 percent of the East Coast’s fuel supplies, in an effort to contain the breach on its computer networks. Earlier Friday, there were disruptions along the pipeline, but it was unclear whether that was a direct result of the attack, or the company’s moves to proactively halt it.

Colonial Pipeline has not indicated whether its systems were hit by ransomware, in which hackers hold a victim’s data hostage until it pays a ransom, or whether it was another form of cyberattack. But the shutdown of such a vital pipeline, one that has been serving the East Coast since the early 1960s, highlights the huge vulnerability of aging infrastructure that has been connected, directly or indirectly, to the internet.

In coming weeks the administration is expected to issue a broad-ranging executive order to bolster security of federal and private systems, after two major attacks from Russia and China in recent months caught American intelligence agencies and companies by surprise.

Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into major storage tanks, and with energy use depressed by the pandemic, the attack was unlikely to cause any immediate disruptions.

In the statement, the company said that it learned on Friday that it “was the victim of a cybersecurity attack,” but it provided no details. Such an attack could involve malware that shut down its operations or ransomware demanding payment to unlock computer files or systems.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our I.T. operations,” the company said, referring to information technology systems.

It said it had contacted law enforcement and other federal agencies. The F.B.I. leads such investigations, but critical infrastructure is the responsibility of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. An administration official said that an investigation into the episode was in the very early stages, and that it was unclear whether the attacker was a nation or a criminal group. At times, they work in concert.

Attacks on critical infrastructure have been a major concern for a decade, but they have accelerated in recent months after two breaches — the SolarWinds intrusion by Russia’s main intelligence service, and another against some types of Microsoft-designed systems that has been attributed to Chinese hackers — underscored the vulnerability of the networks on which the government and corporations rely.

For that reason, understanding how the pipeline attack unfolded — and the motivations of those behind it — will become the focus of federal investigators and the White House, which has elevated cybervulnerabilities to the top of its national security agenda.

As a privately held company, Colonial is under less pressure than a public company might be to reveal details. But its statement left unclear whether the initial attack was directed at the industrial controls that are used to manage the pipeline — which most large utility operators keep insulated from the internet to reduce their vulnerability — or whether it was a ransomware attack that stole or froze data on Colonial’s computer systems.

People familiar with the investigation said the early indications were that it was a ransomware attack, and that the events had been unfolding for several days. The company has hired the private cybersecurity firm FireEye, which responded to the hacking of Sony Pictures Entertainment, energy facility breaches in the Middle East and many federal government incidents.

The company appears to have brought down activity on the pipeline on Friday to prevent the hackers from inflicting more damage. But that left open the question of whether the attackers themselves now have the ability to directly turn the pipelines on or off, or trigger operations that could cause an accident.

If it was a ransomware attack, it would be the second known such incident aimed at a pipeline operator. Last year, the Cybersecurity and Infrastructure Security Agency reported a ransomware attack on a natural gas compression facility belonging to a pipeline operator. That forced a shutdown of the facility for two days, though the agency never revealed the company’s name.

So far the effect on fuel prices has been small, with gasoline and diesel futures rising about 1 percent on the New York Mercantile Exchange on Friday. Prices for regular gasoline at the pump in New York State rose on Saturday by a penny, to $3 from $2.99. Over the past week, gasoline prices have risen nationwide by 6 cents, as global oil prices have risen rapidly.

“It’s a serious issue,” said Tom Kloza, the global head of energy analysis at Oil Price Information Service. “It could snarl things up because it is the country’s jugular aorta from moving fuel from the Gulf Coast up to New York.”

Colonial Pipeline, based in Alpharetta, Ga., is owned by several American and foreign companies and investment firms, including Koch Industries and Royal Dutch Shell. The pipeline connects Houston and the Port of New York and New Jersey and also provides jet fuel to most of the major airports, including in Atlanta and Washington, D.C.

Though both the SolarWinds and the Microsoft attacks appeared aimed, at least initially, on the theft of emails and other data, the nature of the intrusions created “back doors” that experts say could ultimately enable attacks on physical infrastructure. So far, neither effort is thought to have led to anything other than data theft, though there have been quiet concerns in the Federal government that the vulnerabilities could be used for infrastructure attacks in the future.

The Biden administration announced sanctions against Russia last month for SolarWinds, and is expected to issue an executive order in the coming days that would take steps to secure critical infrastructure, including requiring enhanced security for vendors providing services to the federal government.

The United States has long warned that Russia has implanted malicious code in the electric utility networks, and the United States responded several years ago by putting similar code into the Russian grid.

But actual attacks on energy systems are rare. About a decade ago, Iran was blamed for an attack on the computer systems of Saudi Aramco, one of the world’s largest oil producers, which destroyed 30,000 computers. That attack, which appeared to be in response to the American-Israeli attack on Iran’s nuclear centrifuges, did not affect operations.

Another attack on a Saudi petrochemical plant in 2017 nearly set off a major industrial disaster. But it was shut down quickly, and investigators later attributed it to Russian hackers. This year, someone briefly took control of a water treatment plant in a small Florida city, in what appeared to be an effort to poison the supply, but the attempt was quickly halted.

Clifford Krauss and Nicole Perlroth contributed reporting.

Category Latest Posts