Cyberattack halts pipeline for third day

U.S., firm trying to avoid disruptions in gas supply

FILE - In this Sept. 20, 2016 file photo vehicles are seen near Colonial Pipeline in Helena, Ala.  A major pipeline that transports fuels along the East Coast says it had to stop operations because it was the victim of a cyberattack. Colonial Pipeline said in a statement late Friday that it “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” (AP Photo/Brynn Anderson, File)
FILE - In this Sept. 20, 2016 file photo vehicles are seen near Colonial Pipeline in Helena, Ala. A major pipeline that transports fuels along the East Coast says it had to stop operations because it was the victim of a cyberattack. Colonial Pipeline said in a statement late Friday that it “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” (AP Photo/Brynn Anderson, File)

NEW YORK -- The shutdown of a vital U.S. pipeline because of a ransomware attack stretched into a third day Sunday, with the Biden administration saying an "all-hands-on-deck effort" was underway to restore operations and avoid disruptions in gasoline supply.

Experts said gas prices are unlikely to be significantly affected if normal operations resume in the next few days, but they added that the incident -- the worst cyberattack to date on critical U.S. infrastructure -- should serve as a wake-up call to companies about the vulnerabilities they face.

The pipeline, operated by Georgia-based Colonial Pipeline, carries gasoline and other fuel from Texas to the Northeast. It delivers roughly 45% of the fuel consumed on the East Coast, according to the company.

Ransomware attacks are typically carried out by hackers who lock up computer systems by encrypting data and then demand big ransoms to release it. Colonial Pipeline has not said what was demanded or who made the demand. The privately held company also declined to say whether it has paid or was negotiating a ransom.

However, a person close to the investigation who spoke on condition of anonymity identified the ransomware gang responsible as DarkSide. The group has been active since August and, typical of the most potent ransomware gangs, is known to avoid targeting organizations in former Soviet bloc nations.

[Video not showing up above? Click here to watch » https://www.youtube.com/watch?v=ff-c3grzVKU]

DarkSide is among the gangs that have professionalized a criminal industry that has cost Western nations tens of billions of dollars in the past three years.

It tries to promote a Robin Hood image, claiming that it does not attack medical, educational or government targets -- only large corporations -- and that it donates a portion of its take to charity.

Commerce Secretary Gina Raimondo said Sunday that ransomware attacks are "what businesses now have to worry about" and that she will work "very vigorously" with the Homeland Security Department to address the problem, calling it a top priority for the administration.

"Unfortunately, these sorts of attacks are becoming more frequent," she said on CBS' "Face the Nation." "We have to work in partnership with business to secure networks to defend ourselves against these attacks."

She said President Joe Biden was briefed on the attack.

"It's an all-hands-on-deck effort right now," Raimondo said. "And we are working closely with the company, state and local officials to make sure that they get back up to normal operations as quickly as possible and there aren't disruptions in supply."

RISING RISK

The person close to the Colonial Pipeline investigation said that before activating the ransomware, the attackers stole data, presumably to be used for extortion. Sometimes data is more valuable to ransomware criminals than the leverage they gain by crippling a network, because some victims are loath to see sensitive information dumped online.

DarkSide neither announced an attack on its dark website nor responded to an Associated Press reporter's queries. The lack of acknowledgment usually indicates a victim is either negotiating or has paid.

Security experts said the attack should be a warning for operators of critical infrastructure -- including electrical and water utilities and energy and transportation companies -- that not investing in updating their security puts them at risk of catastrophe.

Ed Amoroso, CEO of TAG Cyber, said Colonial was lucky its attacker was at least ostensibly motivated only by profit, not geopolitics. State-backed hackers bent on more serious destruction use the same intrusion methods as ransomware gangs.

"For companies vulnerable to ransomware, it's a bad sign because they are probably more vulnerable to more serious attacks," he said. Russian cyberwarriors, for example, crippled the electrical grid in Ukraine during the winters of 2015 and 2016.

Cyberextortion attempts in the U.S. have become a death-by-a-thousand-cuts phenomenon in the past year, with attacks forcing delays in cancer treatment, interrupting schooling and paralyzing police and city governments.

Tulsa's government last week became the 32nd state or local government in the U.S. to come under ransomware attack, said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft.

Average ransoms paid in the U.S. jumped nearly threefold to more than $310,000 last year. The average downtime for victims of ransomware attacks is 21 days, according to the firm Coveware, which helps victims respond.

David Kennedy, founder and senior principal security consultant at TrustedSec, said that once an attack is discovered, companies have little recourse but to completely rebuild their infrastructure or pay the ransom.

"Ransomware is absolutely out of control and one of the biggest threats we face as a nation," Kennedy said. "The problem we face is most companies are grossly underprepared to face these threats."

The Justice Department has a new task force dedicated to countering such attacks.

While the U.S. has not suffered any serious cyberattacks on its critical infrastructure, officials say Russian hackers in particular are known to have infiltrated some crucial sectors, positioning themselves to do damage if armed conflict were to break out.

Iranian hackers have also been aggressive in trying to gain access to utilities, factories and oil and gas facilities. In one case in 2013, they broke into the control system of a U.S. dam.

FUEL PRICES

The attack on the nation's biggest oil fuel pipeline came near the beginning of the summer driving season, when fuel prices traditionally rise anyway. But fuel consumption, while growing, remains depressed from pre-pandemic levels.

Energy experts predicted that traders would view the company's statements Sunday as a sign that the pipeline would remain shut at least a few days. Tom Kloza, global head of energy analysis at Oil Price Information Service, said he thought gasoline futures would rise 2% to 3% beginning Sunday night and today.

"I don't think in the end this will be a seminal event for pricing, but I think it will be a seminal event for cybersecurity," Kloza said.

Goldman Sachs issued a report Sunday saying that since there was no physical damage to the pipeline, "the bullish impact on East Coast fuel prices is likely to be transient."

But gasoline shortages could appear if the pipeline is still shut well into the week, some analysts said.

"Even a temporary shutdown will likely drive already rising national retail gas prices over $3 per gallon for the first time since 2014," said Jay Hatfield, chief executive of Infrastructure Capital Management and an investor in natural gas and oil pipelines and storage.

At least one gasoline station in Camden, S.C., alerted drivers Sunday that it would limit sales of gas to 20 gallons because of the suspension of pipeline operations.

PIPELINE'S IMPORTANCE

The national average gas price stood at $2.96 a gallon Friday, according to the AAA auto club. With national gasoline inventories ample, the pump price wasn't expected to tick much higher until Memorial Day at the end of May, which is traditionally viewed as the start of the U.S. summer driving season.

Gasoline last topped the $3 average in October 2014.

Any price increases in road fuel may stoke even more worries about inflation as commodities such as oil, lumber and corn skyrocket with the world's major economies emerging from pandemic restrictions. The oil industry was gearing up to meet what is expected to be a surge in fuel demand as newly vaccinated Americans take to the roadways and skies this summer.

The Colonial pipeline is a key artery, transporting gasoline, diesel, jet fuel and home heating oil from refineries on the Gulf Coast through pipelines running from Texas to New Jersey. Its system spans more than 5,500 miles, transporting more than 100 million gallons a day.

"It all comes down to the duration of the disruption. If it lasts longer, it's likely to result in some location dislocations -- shortage of oil products in the East Coast, abundance in the Gulf region. That will support New York product prices and might attract more oil products from abroad," said Giovanni Staunovo, commodity analyst at UBS Group AG.

New York was well-supplied with fuel ahead of the attack and could weather the upset if missing fuel is replaced or if the line restarts quickly. East Coast gasoline stockpiles at the end of April were near five-year seasonal averages.

But experts said several airports that depend on the pipeline for jet fuel, including Nashville, Tenn.; Baltimore-Washington; and Charlotte and Raleigh-Durham, N.C., could have a hard time later in the week. Airports generally store enough jet fuel for three to five days of operations.

The trade in gasoline and crude futures starting late Sunday and the cash-market and rack gasoline today will tell more of the tale.

Debnil Chowdhury at the research firm IHS Markit said that if the outage stretches to one to three weeks, then prices could begin rising.

"I wouldn't be surprised, if this ends up being an outage of that magnitude, if we see a 15- to 20-cent rise in gas prices over the next week or two," he said.

Colonial Pipeline would not give a timeline Sunday on when it would reopen the pipeline. It said it was developing "a system restart plan" and would restore service to some small lines between terminals and delivery points, but it "will bring our full system back online only when we believe it is safe to do so."

While it said it was working to restart operations as soon as possible, it indicated by not reopening Sunday that the operations could still be in jeopardy.

OTHER OPTIONS

Regional refineries could add to their supplies from Kinder Morgan's Plantation Pipeline, which operates between Louisiana and northern Virginia, but its capacity is limited, and it does not reach major metropolitan areas north of Washington, D.C.

The East Coast has ample harbors to import petroleum products from Europe, Canada and South America, but that can take time. Tankers sailing from the port of Rotterdam, Netherlands, at speeds of up to 16 nautical mph can take as long as two weeks to make the trip to New York Harbor.

Kloza said the Biden administration could suspend the Jones Act, which requires that goods shipped between U.S. ports be transported on U.S.-built and -operated vessels. That would allow foreign-flagged tankers to move additional barrels of fuel from Gulf ports to Atlantic Coast harbors. The Jones Act is typically suspended during emergencies such as hurricanes.

"One could make the case that the Biden administration might consider such a move sooner rather than later if Colonial software issues persist," Kloza said.

Information for this article was contributed by Mae Anderson, Frank Bajak, Alan Suderman, Martin Crutsinger and Michael Balsamo of The Associated Press; by Clifford Krauss of The New York Times; and by Jeffrey Bair of Bloomberg News (TNS).

A company that operates a major U.S. energy pipeline says it was forced to temporarily halt all pipeline operations following a cybersecurity attack.
A company that operates a major U.S. energy pipeline says it was forced to temporarily halt all pipeline operations following a cybersecurity attack.
FILE - In this Sept. 8, 2008 file photo traffic on I-95 passes oil storage tanks owned by the Colonial Pipeline Company in Linden, N.J. A major pipeline that transports fuels along the East Coast says it had to stop operations because it was the victim of a cyberattack. Colonial Pipeline said in a statement late Friday that it “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” (AP Photo/Mark Lennihan, File)
FILE - In this Sept. 8, 2008 file photo traffic on I-95 passes oil storage tanks owned by the Colonial Pipeline Company in Linden, N.J. A major pipeline that transports fuels along the East Coast says it had to stop operations because it was the victim of a cyberattack. Colonial Pipeline said in a statement late Friday that it “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” (AP Photo/Mark Lennihan, File)

Upcoming Events