The Colonial Pipeline Cyber Attack: Exposing Dangerous Vulnerabilities Across the Energy Sector
The energy systems that make modern life possible extend well beyond luxury, but rather they are necessities. The availability of energy in all its forms is so ingrained in day-to-day society that any interruption can present real danger: from essential equipment needing power to keep food and medicine at safe temperatures to the oil products that power transport across the economy, and more. Because of how critical energy is to everyday life, reliability and resilience are of the utmost importance.
However, the past few years have unfortunately exposed just how at risk certain cogs in the machine of our national systems may be. All it takes is one component to fall short to bring down the whole house of cards. From wildfires in California to a grid-stopping winter storm in Texas to unexpected outages unfortunately lining up with peak summer loads, many events have undercut confidence in these systems.
Those unavoidable examples of interruptions are largely the impact of natural systems we cannot control, but the recent cyberattack on the Colonial Pipeline and ensuing interruptions to oil and gas supplies across the country highlighted the unnerving reality that malicious actors could intentionally expose and leverage these vulnerabilities. While the fallout and investigations about the Colonial Pipeline hack are still ongoing, much of the real-world impact and dangers have been made abundantly clear as a result.
What Is the Colonial Pipeline and What Happened to It?
The Colonial Pipeline is one of the most substantial ‘arteries’ for oil and gas in the United States, carrying refined petroleum products from refineries in the Gulf Coast hub to customers all along the East Coast. Because these fuels (such as diesel, gasoline, and other end-use products) are made in the Gulf Coast region, rather than imported from elsewhere, the Colonial Pipeline is the predominant source for these essential products for mid-Atlantic States like the Carolinas all the way up to New York and even New England. In total, the Colonial Pipeline carries 45% of all of the fuel that the northeast region consumes.
On a day-to-day basis, though, most people aren’t thinking much about these pipelines. Rather, they simply trust that the petroleum products needed will be readily available when they go to the gas pump. But in early May of this year, that assumption was no longer true for many customers across the coast.
Everything changed when hackers with malicious intentions gained access to a secured private network of Colonial Pipeline Co., the company that operates the pipeline. In doing so, these hackers were able to access sensitive information and operational points on the pipeline. The infrastructure that transports oil is a lot more digital than it once was, containing countless digital components, including sensors, thermostats, valves and pumps, and automation software to operations running smoothly. By gaining unauthorized access to these components, hackers have at their fingertips the ability to cause unthinkable damage, if they so choose. The immediate reaction was strong, notably, not because the hackers damaged anything, but rather because Colonial Pipeline had no immediate idea when the system was initially breached and what damage those actors were able to do in the meantime. And the ‘how’ of this all was just as shocking: experts say it was just a single compromised password, accessed from a data leak in the dark web, that created this vulnerability.
The goal of these hackers, though, was not to bring the system to its knees for the sake of causing damage, but rather they wanted that threat to hang over Colonial Pipeline executives until they paid a ransom of $4.4 million. And Colonial Pipeline did in fact send payment to the hackers, though it’s worth noting a large portion of that was recovered by the U.S. Department of Justice who was immediately on the case.
Oil flow was restored to the pipeline a few days after the system was shut down. It took a few more days after the switch was flipped for oil to get to the furthest reaches of the pipeline network, as oil crawls along the pipeline at about 5 miles per hour, but the system was restored and is back to functional as normal. But just because the oil was flowing again doesn’t mean crisis was averted, as the impact was felt widely.
Measuring the Impact
When the Colonial Pipeline Co. made the decision to stop the flow of oil, gasoline shortages were naturally caused at gasoline pumps across the Eastern seaboard. Interestingly, though, these shortages weren’t just because of lack of pipeline flow, but also from “panic buying” by customers across the region. While many states have stocks and reserves of petroleum products readily on hand, consumers heard about the shutdown and were worried they’d be left without fuel, causing excessive demand on the strained supplies.
As the stocks were depleted, supplies had to be transported outside of the pipeline system. That meant oil companies had to switch from relying on pipelines to instead work on receiving foreign imports or moving product via use trucks, both of which are more expensive than pipeline transport. This extra expense was passed onto customers as average gas prices reached their highest levels since late 2014.
While government leaders implemented measures to try and help oil movement, like waiving restrictions on certain trucking practices, it wasn’t enough to keep a ‘normal’ level of operations. As a result, at the height of the panic and the shutoff 49% of Virginia gas stations were completely out of fuel, as one example.
The scary part is also not knowing how long hackers actually had access, and what they did in the time there were operating undetected. While this situation got resolved without some of the potentially worst impacts that could have been, the threat was exposed and the uncertainty remains.
How Does the Colonial Pipeline Hack Relate to the Power Sector?
The direct impact of these events to the electric power industry was not huge. Oil is used in some places for auxiliary power generation or backup generators, but the effects was really mostly restricted to industrial actors who use oil products directly and the country’s major transportation systems. The diversity in the U.S. power generation mix meant that a several day interruption of oil supplies was not felt in electricity availability, price, or anything of that nature.
That’s the good news for electricity customers, energy brokers, and other stakeholders amid this unnerving event, but zooming out to the bigger picture highlights the greater concern. Cyber experts in the wake of this hack, and others that have been hitting broader utilities, note how truly unsurprising it really is that this happened. On the contrary, industry observers note that the Colonial Pipeline shutdown is more likely than not just a “taste of things to come.” Because of how profitable it can be to extort energy companies, because of how many vulnerabilities do exist, and because of the necessity to avoid interruptions at all cost, these types of attacks will happen again and again.
More truthfully, though, cyber experts note that these types of attacks are being attempted at a near constant level, but it’s just the successful penetration of the systems like this that the public ends up hearing about. Colonial Pipeline was not the first, and it will certainly not to be the last:
Saudi Aramco was victim of a cyberattack in 2012 that required the company to shut down 30,000 computers
In 2018, data systems of four natural gas pipeline operations were compromised
Russian operatives have been accused of hacking the U.S. power grid to flex the ability to do so
These stories aren’t going to go away, and the vulnerabilities are real. In an industry as critical as electric power, one that’s already got its hands full addressing the threats to systems that come from extreme weather events, system degradation with age, climate change impacts, and strained resources unable to keep up with demand, cyberattacks create yet another headache. The silver lining, though, is that this is a headache for which we have prescriptions. But like any good medicine, for these measures to work effectively they need to be used diligently, exactly according to instructions, and without missing or ignoring any doses.
What Needs to Be Done?
Regardless of whether the energy systems being discussed are oil, power, transmission, or otherwise, cybersecurity needs to be a main pillar of focus. Focus on cybersecurity cannot be constrained to the responsibility of just a single external team, it can’t be treated as simply a box to check off, and it must be a key part of every project planning process, all team priorities, and internalized from everyone to the newest entry level employee up to the CEO. Cybersecurity is everyone’s responsibility.
And key to remember through this focus is that all the technology and digital tools can only achieve so much success on their own, but the people using those systems need to be trained, kept updated, and remain diligent. Once again, the Colonial Pipeline was shut down largely thanks to a single compromised password. Poor password practice is one of the easiest cybersecurity vulnerabilities to stop in theory (e.g., use a strong password, change it regularly, and don’t share it), but doing so is simultaneously one of the most frequently overlooked priorities. Cybersecurity is a team effort, and it takes us all to make sure we secure our critical grid infrastructure.