2. The operator of the system, Colonial Pipeline, said in a vaguely worded
statement late Friday that it had shut down its 5,500 miles of pipeline,
which it says carries 45 percent of the East Coast’s fuel supplies, in an
effort to contain the breach. Earlier Friday, there were disruptions along
the pipeline, but it was not clear at the time whether that was a direct
result of the attack or of the company’s moves to proactively halt it.
On Saturday, as the F.B.I., the Energy Department and the White
House delved into the details, Colonial Pipeline acknowledged that its
corporate computer networks had been hit by a ransomware attack, in
which criminal groups hold data hostage until the victim pays a ransom.
The company said it had shut the pipeline itself, a precautionary act,
apparently for fear that the hackers might have obtained information
that would enable them to attack susceptible parts of the pipeline.
Administration officials said they believed the attack was the act of a
criminal group, rather than a nation seeking to disrupt critical
infrastructure in the United States. But at times, such groups have had
loose affiliations with foreign intelligence agencies and have operated
on their behalf.
The shutdown of such a vital pipeline, one that has served the East
Coast since the early 1960s, highlights the vulnerability of aging
infrastructure that has been connected, directly or indirectly, to the
internet. In recent months, officials note, the frequency and
sophistication of ransomware attacks have soared, crippling victims as
varied as the District of Columbia police department, hospitals treating
coronavirus patients and manufacturers, which frequently try to hide
the attacks out of embarrassment that their systems were pierced.
Colonial, however, had to explain why gasoline and jet fuel were no
longer flowing to its customers, and on Friday, the markets began to
react as speculation swirled about whether an accident, a maintenance
problem or a cyberincident accounted for the shutdown.
But on Saturday, Colonial, which is privately held, declined to say
whether it planned to pay the ransom, which frequently suggests that a
company is considering doing so, or has already paid. Nor did it say
when normal operations would resume.
3. In the next week or so, the administration is expected to issue a broad-
ranging executive order intended to bolster security of federal and
private systems after two major attacks from Russia and China in recent
months caught American companies and intelligence agencies by
surprise.
Colonial’s pipeline transports 2.5 million barrels each day, taking
refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New
York Harbor and New York’s major airports. Most of that goes into
large storage tanks, and with energy use depressed by the coronavirus
pandemic, the attack was unlikely to cause any immediate disruptions.
The company initially said that it had learned on Friday that it “was the
victim of a cybersecurity attack,” leading many in the industry and
some investigators to believe that the attack might have directly
affected the industrial control systems that regulate oil flow. Colonial
issued an updated statement on Saturday saying that it had determined
that the “incident involves ransomware” and contended that it had
taken down its systems as a preventive measure.
“Colonial Pipeline is taking steps to understand and resolve the issue,”
the company said. “Our primary focus is the safe and efficient
restoration of our service and our efforts to return to normal operation.”
It said it had contacted the law enforcement authorities and other
federal agencies. The F.B.I. confirmed that it was involved in the
investigation, along with the Energy Department and the Department
of Homeland Security’s Cybersecurity and Infrastructure Security
Agency.
Attacks on critical infrastructure have been a major concern for a
decade, but they have accelerated in recent months after two breaches
— the SolarWinds intrusion by Russia’s main intelligence service, and
another against some types of Microsoft-designed systems that has
been attributed to Chinese hackers — underscored the vulnerability of
the networks on which the government and corporations rely.
4. Colonial’s pipeline transports 2.5 million barrels each day, taking refined
gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and
New York’s major airports.Spencer Platt/Getty Images
For that reason, understanding how the pipeline attack unfolded — and
the motivations of those behind it — will become the focus of federal
investigators and the White House, which has elevated
cybervulnerabilities to the top of its national security agenda.
In a statement Saturday evening, the White House said that President
Biden had been briefed on the ransomware attack and its aftermath
earlier in the day and that federal officials were working to “assess the
implications of this incident, avoid disruption to supply and help the
company restore pipeline operations as quickly as possible.” It said it
was seeking to make sure others in the fuel industry were moving to
protect themselves.
Because it is privately held, Colonial is under less pressure than a
publicly traded company might be to reveal details. But as the
custodian of a major piece of the nation’s cyberinfrastructure, the
5. company is bound to come under scrutiny over the quality of its
protections and its transparency about how it responded to the attack.
People familiar with the investigation said that although Colonial
insisted that it became aware of the attack on Friday, the events
appeared to have unfolded over several days. It has hired the private
cybersecurity company FireEye, which has responded to the hacking
of Sony Pictures Entertainment, energy facility breaches in the Middle
East and many events involving the federal government.
Bringing down the pipeline operations to protect against a broader,
more damaging intrusion is fairly standard practice. But in this case, it
left open the question of whether the attackers themselves now had the
ability to directly turn the pipelines on or off or bring about operations
that could cause an accident.
The ransomware attack is the second known such incident aimed at a
pipeline operator. Last year, the Cybersecurity and Infrastructure
Security Agency reported a ransomware attack on a natural gas
compression facility belonging to a pipeline operator. That caused a
shutdown of the facility for two days, though the agency never revealed
the company’s name.
Cybersecurity experts say the rise of automated attack tools and
payment of ransom in cryptocurrencies, which make it harder to trace
perpetrators, have exacerbated such attacks.
“We’ve seen ransomware start hitting soft targets like hospitals and
municipalities, where losing access has real-world consequences and
makes victims more likely to pay,” said Ulf Lindqvist, a director at SRI
International who specializes in threats to industrial systems. “We are
talking about the risk of injury or death, not just losing your email.”
Colonial Pipeline, based in Alpharetta, Ga., is owned by several
American and foreign companies and investment firms, including Koch
Industries and Royal Dutch Shell. The pipeline connects Houston and
the Port of New York and New Jersey and also provides jet fuel to
major airports, including those in Atlanta and the Washington, D.C.,
area.
6. So far the effect on fuel prices has been small, with gasoline and diesel
futures rising about 1 percent on the New York Mercantile Exchange
on Friday. On average, prices for regular gasoline at the pump in New
York State rose on Saturday by a penny, to $3 per gallon from $2.99.
Over the past week, gasoline prices have risen nationwide by 6 cents
per gallon, according to the AAA motor club, as global oil prices have
risen rapidly.
“It’s a serious issue,” said Tom Kloza, the global head of energy
analysis at Oil Price Information Service. “It could snarl things up
because it is the country’s jugular aorta for moving fuel from the Gulf
Coast up to New York.”
The Oil Price Information Service reports that American gasoline
inventories are at the “comfortable” levels of 235.8 million barrels,
nearly 10 million barrels above levels in 2019, before the pandemic
reduced demand for fuel. Middle Atlantic and New England states have
substantial supplies, the analysis service reported.
A gas station in Queens. It was unclear how long the pipeline would be
shut down, and so far the effect on fuel prices has been small.Brittainy
Newman for The New York Times
Prices at the pump could be affected in different ways depending on
the region. If there is a prolonged shutdown, areas from Alabama north
through Baltimore will potentially see shortages. However,
Midwestern and Ohio Valley states could actually benefit from cheaper
shipments from the gulf refineries as the plants divert stranded supplies.
Though both the SolarWinds and the Microsoft attacks appeared
aimed, at least initially, at the theft of emails and other data, the nature
of the intrusions created “back doors” that experts say could ultimately
enable attacks on physical infrastructure. So far, neither effort is
thought to have led to anything other than data theft, though there have
been quiet concerns in the federal government that the vulnerabilities
could be used for infrastructure attacks in the future.
The Biden administration announced sanctions against Russia last
month for SolarWinds, and the executive order it is expected to issue
7. would take steps to secure critical infrastructure, including requiring
enhanced security for vendors providing services to the federal
government.
The United States has long warned that Russia has implanted malicious
code in the electric utility networks, and the United States responded
several years agoby putting similar code into the Russian grid.
But actual attacks on energy systems are rare. About a decade ago,
Iran was blamed for an attack on the computer systems of Saudi
Aramco, one of the world’s largest oil producers, that destroyed 30,000
computers. That attack, which appeared to be in response to the
American-Israeli attack on Iran’s nuclear centrifuges, did not affect
operations.
Another attack on a Saudi petrochemical plant in 2017 nearly set off a
major industrial disaster. But it was shut down quickly, and
investigators later attributed it to Russian hackers. This year,
someone briefly took control of a water treatment plant in a small
Florida city in what appeared to be an effort to poison the supply, but
the attempt was quickly halted.