The Colonial Pipeline, which transports about 45 percent of fuel consumed on the East Coast, shut down over the weekend due to a ransomware attack.
It carried out the shutdown to prevent hackers from accessing its operational technology.
On Monday, the company behind the pipeline said it would take “a phased approach” to restoring service and hopes to “substantially” restore its operations by the end of the week.
The attack stunned the Biden administration and the energy industry.
Here are five takeaways about the major disruption:
Hack sparks fears of gas price increase
Some analysts raised concerns about potential increases to gasoline prices because of the shutdown.
Debnil Chowdhury, head of Americas refining research at IHS Markit, said that last time part of the pipeline shut down, in 2016, increases were at about 10 cents or 20 cents per gallon.
“We could eventually see that happening here if this does not get resolved quickly,” Chowdhury said.
He added that one reason that prices have to go up is to incentivize Europe and Asia to send barrels to the U.S.
“If the prices here don’t move higher, then the Europeans don’t have an incentive to send ships of gasoline and diesel to the East Coast,” Chowdhury said.
AAA spokesperson Jeanette McGee predicted in a statement that some states could see prices increase by three to seven cents.
Analysts also stressed that whether prices rise, and by how much, depends on how long the shutdown lasts and whether people try to hoard fuel.
“It becomes a price issue based on that variable of crowd behavior,” said Tom Kloza, global head of energy analysis at the Oil Price Information Service. “It can be a self-fulfilling prophecy.”
The White House on Monday said that the shutdown hadn’t caused any supply shortages, and that officials would watch for any possible future disruptions.
“Right now there is not a supply shortage. We are preparing for multiple possible contingencies … and considering what additional steps may be useful to mitigate any potential disruptions to supply,” White House homeland security adviser Elizabeth Sherwood-Randall said at a briefing Monday.
“We’re working with other agencies to consider how if necessary we can move supplies to a place where it might be needed if it turns out there is a shortfall,” she added.
White House irritated by lack of control
President Biden and other administration officials on Monday highlighted the dominance of the private sector in owning and operating critical utilities, hinting at irritation around the government’s lack of control over security operations.
“My administration is also committed to safeguarding our critical infrastructure, much of which is privately owned and managed like Colonial,” Biden said as part of remarks on the economy at the White House. “Private entities are making their own determinations on cybersecurity.”
Other top officials also cited concerns that private sector groups like Colonial had too much control over critical systems.
“This weekend’s events put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private sector companies,” homeland security adviser Elizabeth Sherwood-Randall told reporters at the White House on Monday. “When those companies are attacked, they serve as the first line of defense, and we depend on the effectiveness of their defenses.”
According to data from the Federal Emergency Management Agency, in 2011 about 85 percent of U.S. critical infrastructure, including pipelines, was owned by the private sector.
Tobias Whitney, the vice president of energy security solutions at Fortress Information Security, which works with grid operators, told The Hill that the pipelines in particular lacked oversight.
“With electric power there is a tremendous high bar as it relates to federally mandated compliance rules, as it relates to reliability,” Whitney told The Hill. “You don’t necessarily have the same level of oversight of oil and gas … it plays a part when we see these types of events.”
Ransomware is a major growing threat
The breach demonstrates the particular threat of ransomware to a sector like U.S. energy infrastructure, Patrick Craven, director for The Center for Cyber Safety and Education, told The Hill.
“I think it’s a growing threat to all of the sectors,” Craven said, adding that the threat was particularly acute because of the impact on the public.
Craven said that if the electric grid is hacked, “it’s going to hit people, not just government, not just businesses.”
Ransomware attacks have turned into serious threats to critical organizations such as hospitals and schools during the COVID-19 pandemic, with operations often brought to a halt.
The Biden administration has begun taking a series of actions to address ransomware threats, including the Justice Department last month standing up a ransomware task force and the Department of Homeland Security making ransomware the focus of its first 60-day cybersecurity sprint.
Capitol Hill has also been increasingly focused on the problem. The House Homeland Security Committee’s cybersecurity panel held a hearing on the issue last week, and a bipartisan group of House lawmakers plan to soon introduce legislation to provide state and local governments with funds to help fight cyber criminals.
“I think the energy sector seems to be getting hotter at the moment but I think [ransomware] is a threat across sectors,” Tom Kuster, CEO of solar energy firm Merit SI, also told The Hill.
“One theory that we’ve been thinking about here is there’s a lot more connected devices that are coming onto the networks that run the power grid,” particularly as workers have largely worked from home during the coronavirus pandemic, he added.
Kuster further cited “the increased smart-grid, everything interconnected to do with energy.”
“There’s many more points of entry into the network” for ransomware, he added.
US energy vulnerabilities exposed
Rep. August Pfluger (R-Texas) said the attack, much like February’s winter weather that knocked out Texas’s electrical grid, illustrated the need for improved infrastructure, particularly pertaining to energy.
“This is critical infrastructure and when it comes to the delivery of energy … we have to be sure transportation is reliable,” Pfluger told The Hill. “This attack underscores the need to protect our infrastructure.”
“When you don’t have energy, as temperatures start to rise, as people are trying to heat and cool their homes — we saw this in Texas in February, it is absolutely critical for our way of life,” Pfluger added. “Americans are still used to a high quality of life of which oil and natural gas provide a tremendous amount of support for that.”
The hack was a further demonstration of how many sectors in the U.S. are “on the defensive” when it comes to cybersecurity, Craven said.
“They only have to be right once” whereas cybersecurity personnel “have to be right every time,” Craven added, noting that “as high as 90 percent of hacks like this happen because of human error.”
Another reason ransomware is a growing concern, Craven added, is because in many cases it’s completely unmoored from ideology and is solely a moneymaking venture. Indeed, the alleged Colonial hackers have already claimed this was one such case.
“For many people this is a business, this is what they do all day long … to make money,” Craven said. “It’s a way of causing havoc and potentially bringing in income as well.”
Andrew Lipow, president of the energy consulting firm Lipow Oil Associates, told The Hill the attack indicates cybersecurity safeguards for major energy pipelines may be inadequate.
“The largest refined product pipeline in the country was hit by ransomware attack; for the industry, this a wake-up call,” Lipow told The Hill. “They’re trying to figure out not only how it happened, but how to prevent it from happening to other facilities in the oil industry.”
Biden under pressure amid cybersecurity threats
All eyes are now on the Biden administration to see how it responds to the attack and what it will do going forward on cybersecurity.
Biden on Monday stressed that his administration took the hack “extremely seriously,” noting that he had been receiving daily briefings on the situation.
Sherwood-Randall told reporters that the White House convened an “interagency team” late last week to tackle the Colonial Pipelines hack, with the Energy Department leading, and the departments of Defense, Homeland Security, Transportation and Treasury also involved.
But, following the weekend incident, members of Congress on both sides of the aisle are calling for larger investments in cybersecurity for critical infrastructure, and to take actions against malicious hacking incidents, in particular in the wake of two other major cyberattacks in recent months.
The SolarWinds hack, first discovered in December, involved Russian hackers successfully breaching nine federal agencies for almost a year. Biden levied sanctions on Russia last month in retaliation for that hack.
In addition, Microsoft announced previously unknown vulnerabilities in March in its Exchange Server email application which potentially compromised thousands of organizations.
In the wake of the three incidents, the administration is preparing to roll out an executive order to strengthen federal cybersecurity, and kicked off a 100-day plan to secure the electric grid, with Biden saying more work around other sectors would soon begin.
“We want to see ransomware not be successful, and that begins with greater resilience particularly in critical infrastructure networks,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters Monday.
Fortress Information Security’s Whitney told The Hill on Monday that more could still be done.
“All of these things are effective in principle, but the devil is in the details,” he warned.