'Extreme Reaction' By Colonial Pipeline Baffles Energy Experts

VIRGINIA — The major East Coast pipeline behind the gasoline shortages in the Southeast and mid-Atlantic is coming under scrutiny for its information technology and cybersecurity practices.

Colonial Pipeline revealed Friday that it had been the target of a cyberattack on its information technology system. The company said the hackers stole nearly 100 gigabytes of data and encrypted at least a portion of the company’s information technology network.

The hackers, however, did not obtain access to the operational technology side of the pipeline company’s system. But Colonial Pipeline still decided to shut down the entire pipeline system, which provides nearly 50 percent of the gasoline and jet fuel to East Coast markets.

The decision to shut down the pipeline system has caused major shortages of gasoline. In Virginia, 55 percent of gas stations had run dry of supplies as of Thursday morning, according to GasBuddy, which tracks supply. In the District of Columbia, about 51 percent of stations were out of gas.

Colonial Pipeline said Thursday morning that it has made "substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service."

By midday Thursday, the company said each market it serves will likely be receiving product from its system.

The cyberattack targeted the portion of Colonial Pipeline’s technology network that most of its employees use to check their email, review contracts and write and distribute invoices, Bloomberg reported Wednesday.

Colonial Pipeline had no evidence that its operational technology systems, which are not connected to its information technology system, had been compromised in the attack, the company said.

Experts believe that a ransomware group called DarkSide was behind the cyberattack.

Colonial Pipeline, partly owned by Koch Industries, is the largest pipeline system for refined oil products in the nation. The pipeline system, which stretches from Texas to New York, came into service in the 1960s when pipeline operations were handled manually through receipt and delivery points for the petroleum products.

Pipeline system operations became more digital in the 1990s and 2000s. According to an Associated Press report, though, an outside audit conducted three years ago of Colonial Pipeline found “atrocious” information management practices and “a patchwork of poorly connected and secured systems.”

“We found glaring deficiencies and big problems,” Robert F. Smallwood, whose consulting firm completed a report in January 2018 after the audit, told the AP. “I mean, an eighth grader could have hacked into that system.”

The exact reason for Colonial Pipeline’s decision to shut down the entire pipeline system remains unclear. The company has acknowledged that the cyberattack affected only a portion of its information technology system, including the parts related to contracts and invoices.

Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy AG, told S&P Global Market Intelligence that Colonial Pipeline “took the blunt approach of shuttering a whole system” instead of only a portion of the pipeline system.

Simonovich believes energy infrastructure companies should work to get a clear understanding of the “visibility” of the relationship between their physical assets and their digital operations, S&P Global reported.

With a better understanding of the relationship between the physical pipeline assets and the information technology side, companies could “take a more surgical approach to containment,” he told S&P Global.

Infrastructure companies such as Colonial Pipeline then would be able to take action “that’s proportional,” Simonovich said.

Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers, told S&P Global that investigators will need to determine Colonial Pipeline’s understanding of the relationship between its IT side and its physical assets.

"If they had visibility into each segment," Rembiesa said, "why did they take the extreme reaction of shutting down the whole system?"

The U.S. pipeline industry, unlike its counterparts in the electric utility industry, is not subject to mandatory cybersecurity standards, even though both are designated as critical energy infrastructure by the federal government.

On Tuesday, Richard Glick, chairman of the Federal Energy Regulatory Commission, issued a statement in which he said it is “time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector.”

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Glick said. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

Pipeline companies and their trade associations, though, have opposed mandatory cybersecurity rules for years due to the cost of implementing them.

RELATED: VA Gas Shortages May Linger As Colonial Restarts Pipeline