These are the lessons of the US Colonial oil pipeline cyber attack

Security improvements will not be enough, not against increasingly skilful, well-resourced and motivated criminals and state-backed hackers

An Exxon station is seen out of gas after a cyberattack crippled the biggest fuel pipeline in the country, run by Colonial Pipeline, in Washington, U.S., May 15, 2021. REUTERS/Yuri Gripas

The US energy business should have learnt to be wary of the power of the DarkSide. After numerous warnings, it suffered its most disruptive cyber attack two Fridays ago when the Colonial oil pipeline was shut down after a ransomware attack, suspected to be from this gang. Cyber security needs to be improved but that alone is not enough: the energy industry needs broader resilience to such threats.

The pipeline brings refined oil products – petrol, diesel, heating oil and jet fuel – from the Texas refining complex to meet 45 per cent of consumption on the US East Coast, ultimately supplying New Jersey, New York and other states.

Hackers exfiltrated 100 gigabytes of data and then demanded payment to unencrypt the company's files. Colonial's operational systems were not affected but it shut down pipeline flows – either to prevent further dissemination or, as it now appears, because it could not bill customers. A $5 million ransom was paid to the hackers, according to Bloomberg.

Federal and state governments temporarily waived fuel quality standards and restrictions on hours and weights for road tankers. Traders booked tankers to bring refined products from Europe.

Some refiners were granted exemptions from the Jones Act, an outdated and pernicious law that requires all trade between American ports to be carried out by vessels built and flagged in the US and manned by Americans.

Nevertheless, petrol stations began to run dry: by Thursday evening, according to consumer service Gas Buddy, between half and two thirds of Georgia, Virginia, South and North Carolina were out of fuel. This was exacerbated by limited deliveries from distribution centres as tanker trucks themselves could not secure diesel, as well panic buying.

Indeed, shortages in southern Florida seem mostly to be due to hoarding as the state is primarily supplied by barges, not Colonial's network.

The company resumed pipeline flows on Thursday but it will probably take one to two weeks before service returns to normal in all areas. For the first time in six years, petrol prices rose above $3 a gallon during the interruption but, overall, the effects on demand will be slightly negative.

This is the most disruptive cyber attack in the US to date but far from the first for the energy industry. Electricity and gas pipeline companies have suffered intrusions in recent years that were either aimed at extortion or probing vulnerabilities. The US Department of Energy was one of the victims of the Solarwinds cyber espionage discovered in December.

The famous Stuxnet virus, strongly suspected to be the work of the US and Israel, damaged Iranian centrifuges in 2009 and 2010, setting back its uranium enrichment programme. The National Iranian Oil Company experienced a cyber attack in April 2012. That August, the Shamoon virus, possibly linked to Iran, wiped 30,000 computers at Saudi Aramco.

Several Saudi petrochemical companies have suffered cyber attacks since then while the Ukraine energy grid was also compromised, resulting in power cuts.

These, along with hacks on or by North Korea, are all known geopolitical flash points while growing hostility between the US and China is another. Cyber attacks have great attractions. They are deniable, difficult to identify – making it hard to apprehend perpetrators – while the damage can be gradated short of war. A group such as DarkSide could be a criminal enterprise but it could also be similar to Elizabethan privateers who were licensed by the state to attack its enemies. State agencies could use the cover of extortion attempts to conduct espionage or plant sabotage bugs.

Perhaps the surprise is not how devastating cyber attacks have been but how little damage they have done so far. There has not been serious and prolonged disruption or major physical damage or loss of life. DarkSide’s ransom from Colonial sounds like something Dr Evil would do – disconcerting his henchman by asking for only $1m.

But any of the conflicts mentioned, or others, could turn into more overt confrontations or a hacking group might go too far. Energy infrastructure – essential, exposed, expensive and explosive – is an obvious target.

Surveys suggest that energy cyber security is weak and characterised by inadequate passwords, outdated versions of Microsoft Exchange, employees who are easily duped into clicking on suspicious links, operational systems that are not properly "air-gapped" from the internet and a lack of "war games" to simulate cyber crises.

However, security improvements will not be enough – not against increasingly skilful, well resourced and motivated criminals and state-backed hackers. Digitisation and automation, remote working and operations, drones, the Internet of Things and the electrification of an economy powered by fossil fuels promise greater efficiency, cost savings and environmental gains. But they also expand vulnerabilities.

The Colonial incident exposed several major weaknesses in US energy security. Strategic petroleum stocks are nearly all along the Gulf of Mexico coast and not near other big consumption centres. The East Coast relies on a single system for about half of its petroleum demand. There are no mandatory pipeline cyber security regulations. Logistics faces the circular paradox of needing fuel to deliver fuel. The dead hand of the Jones Act constrains alternatives and there is no way to stop panic buying.

Many other countries would turn out to have similar or deeper flaws when seriously tested. February’s Texas ice storm, although not a cyber attack, highlighted the need to have electricity to deliver gas to generate electricity, and for both to make heat to keep people alive and water flowing.

Greater resilience involves a mix of improved cyber security, tougher infrastructure, duplication and back-ups, diversity of energy sources and delivery methods, more effective regulation and government powers of intervention, better accounting for human behaviour and stronger recovery plans.

Cyber attacks on energy systems will probably become more frequent, more ingenious and more disruptive. Several warnings have passed, fortunately without too much damage, but now it is time to act.

Robin Mills is chief executive of Qamar Energy and author of The Myth of the Oil Crisis

EDITOR'S PICKS
NEWSLETTERS