Colonial Pipeline: Details emerge of landmark cyber-security breach

A tank farm facility for Colonial Pipeline outside Birmingham, Alabama, in 2007 (image credit: chapstickaddict, CC BY-NC-ND 2.0 license).

A cyber-attack on the largest fuel pipeline in the US, on Friday 7 May, is being described as possibly the most impactful ransomware event in history, and certainly the most significant attack on a piece of critical national infrastructure. At the time of writing (12 May), fuel shortages were reported to be spreading rapidly in the eastern and southern regions of the country, with fuel prices having hit a seven-year high in the preceding hours.

Blame for the attack has been attributed to a criminal organisation believed to be from Russia, DarkSide, in statements made by the FBI (10 May) and sources cited by Bloomberg and Reuters.

The Colonial Pipeline distributes “gasoline, diesel and jet fuel” across a 5,500-mile extent that connects refineries in the Gulf Coast to population centres like New York, and further north. It transports around 2.5 million barrels of liquid fuel per day.

The operating company, Colonial Pipeline Co., has not disclosed details of exactly how its system was breached, although the attack appears to have begun with a data theft on Thursday 6 May – around 100 gigabytes of data having been stolen in a couple of hours. On 7 May the company was served with a ransomware notice. According to Bloomberg, the attack reached the firm’s administrative network, with employees finding themselves locked out of the system.

Bloomberg described the attack as “a double-extortion scheme” since it involved both encrypting company files and stealing data (and threatening to leak these data, in the absence of a ransom payment).

As an immediate response, the operating firm took the decision to shut down a large portion of the pipeline – its “four main lines”, as US newspaper The Financial Post put it – as a proactive measure. These were still reported to be offline on Sunday evening, but the firm had restarted “smaller lateral lines between terminals and delivery points”, according to the same newspaper.

A Colonial Pipeline gas terminal (image credit: Orbital Joe, CC BY-NC-ND 2.0 license).

On Monday (10 May) the firm said it intended to restore deliveries of fuel to the Eastern US by the end of the week. On Tuesday (11 May), US Energy Secretary Jennifer Granholm said: “Last night one of Colonial’s major lines resumed operation under manual control.” She said the firm expected “to substantially restore operations by the end of this week.”

In a statement, Colonial said it would “bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”

A decision on a full restart was expected to be forthcoming late Wednesday (12 May).

Granholm said that, were that decision to be made, it would still take “a few days to ramp up operations”.

“This pipeline has never been shut down before,” she said, adding that it travels great distances, and there is fuel in the pipe, as well as fuel in the off-take from the refineries that will have to be added.

Responding to the event, the White House declared a state of emergency on Sunday evening, covering 17 states and the capital, and said it was working with Colonial to restart operations. The administration also announced measures to help with the supply of fuel, including a relaxation of environmental rules, and steps taken to allow foreign tankers to bring fuel to ports on the East coast.

Biden was also expected to present a House briefing on the cyber-attack at 6 pm Washington time on Wednesday.

How did it happen?
In the wake of the attack, experts in the industrial cyber-security field offered opinions on how the hackers might have gained access.

Supervisory control and data acquisition (SCADA) networks, widely used in industrial control systems in sectors such as energy and water, have been frequently pegged as a point of vulnerability in recent years, including with pipeline systems. In the latter, this kind of network connects computers and terminals with every kind of physical device on the network, including pumping stations, tank farms, and valves used for flow control purposes.

In comments made to The Financial Post, industrial cyber-security expert John Cosimano, pointed out that “once someone gains access to the SCADA network they have access to every device on the network.” He cited other points of vulnerability with SCADA systems, including the limitations of firewalls. While these will likely be present, and separating the pipeline SCADA networks from other business IT systems in the firm, they will still allow some data to pass between the two, such as network monitoring software like SolarWinds (previously the target of a malware attack in early 2020).

SCADA networks will tend to cover huge distances, and in an application like the Colonial pipeline, will reach all kinds of smaller facilities and maintenance areas along its extent, places where there might be limited physical security, providing a potential point of attack for a hacker.

The growing reliance on wireless networks within pipeline systems provides another avenue by which a malicious actor could gain access.