Colonial Pipeline Co. said May 10 it was working with the U.S. Department of Energy to bring its system back online following its May 7 cyberattack, with the goal of substantially restoring operational service by the end of the week. The company said in an early afternoon press release it had proactively taken systems offline to contain the threat, which halted its pipeline operations and affected some internal systems.

But “the full extent of the damage to Colonial Pipeline, and its business partners, will not be known for weeks if not months,” Robert Cattanach, partner in the Dorsey & Whitney law firm and expert on cybersecurity and data breaches, said in an email to Hart Energy. “Colonial lost mountains of data to the attacker well before its systems were shut down. A nimble response at the first sign of intrusion could have changed everything.” 

The hackers’ choice of timing could actually end up in easing the market impact of the attack, Stacey Morris, research director at Alerian, told Hart Energy.

“Given the timing of the outage, ahead of driving season that starts Memorial Day weekend and with lingering demand impacts from the pandemic, the impact of the Colonial outage may be more muted than it would be otherwise,” Morris wrote in an email. “That said, a lot depends on how long the pipeline is actually shut down.”

The 5,500-mile pipeline moves 2.5 million barrels per day (bbl/d) of gasoline, diesel and jet fuel to mid-Atlantic and southeast states. Among its destinations is Hartsfield-Jackson International Airport in Atlanta, the nation’s busiest.

“The shutdown of the pipeline could lead to elevated prices for gasoline and distillates on the East Coast and in the Northeast,” she said. “Meanwhile, product prices on the Gulf Coast could see some pressure without the ability to transport volumes through Colonial.”

‘Last Thing They Need’

The DarkSide ransomware, used by a Russian cybercrime gang of the same name, encrypts victims’ files so they cannot be accessed. The gang threatens to publish the files online unless the company ponies up a hefty fee.

Lior Div, CEO of the Cybereason security firm, told Reuters that while the criminals were unusually savvy in terms of their pre-attack intelligence work, they may have miscalculated in this case.

“It’s not good for business for them when the U.S. government becomes involved, when the FBI becomes involved,” Div was quoted as saying. “It’s the last thing they need.”

Cyber assaults on the oil and gas industry are not new, but a coherent response to them has never been developed.

“[The Colonial Pipeline attack] just crystallizes that warfare in the 21st century has evolved to where private companies are now in many ways on the front lines,” Neil Chatterjee, commissioner on the Federal Energy Regulatory Commission (FERC) told Josh Siegel of the Washington Examiner. “It’s essential these companies working in conjunction with the government protect this critical infrastructure.”

Chatterjee and fellow Commissioner Richard Glick co-authored a piece in Axios in 2018 calling for stricter cybersecurity oversight of energy infrastructure.

“Given the high stakes, Congress should vest responsibility for pipeline security with an agency that fully comprehends the energy sector and has sufficient resources to address this growing threat,” the two argued in their article. “The Department of Energy (DOE) could be an appropriate choice: It is the Sector-Specific Agency for energy security and recently created its own cybersecurity office.”

Chatterjee and Glick pushed for the regulator to have the statutory authority, resources and commitment to implement mandatory standards. “The essential starting point for these reforms,” they wrote, “is standards that are both mandatory and tailored to the pipeline network’s greatest threats.”

Defend Yourself

Companies that operate pipelines and energy infrastructure typically cite cyberattacks as a potential risk to their businesses in their annual reports, but often, it is an afterthought for most market observers until there is an event like this, Morris said.

“That said,” she added, “the companies themselves are regularly focused on security and managing these types of risks.”

Still, Cattanach, who served as a trial attorney for the U.S. Department of Justice and as special counsel to the Secretary of the Navy, laid out some immediate lessons from the attack for companies.

“Make sure you have an incident response plan, and practice it,” he advised. “This needs to include stakeholders within the company with decision-making authority. Yes, the C-Suite is a busy place, with little spare time for practice drills. The return on this investment, however, is incalculable.”

Among his recommendations for steps to take:

  • Review your key contracts.
  1. “What obligations do you have to your business partners and customers to ensure you’ve instituted all reasonable cybersecurity protections, and are in a position to control the damage when, not if, you’re the victim of a cyberattack.”
  2. “What limitations of liability have you negotiated with your customers regarding the consequences of a cyberattack?” 
  3. “What limitations of liability have your vendors imposed on you if their systems result in, or fail to prevent, a cyberattack on you?” 
  • Segregate your IT systems, and tighten the screws on detection monitoring. You will never be able to completely prevent the threat actors from gaining access somewhere. 
  • Communicate constantly with industry groups and regulators. Cybercriminals are creatures of habit. They look for a common vulnerability, and exploit it until it’s eliminated.