How a ransomware attack shut down a major US fuel pipeline

The network carries petroleum products like gasoline and aviation fuel. Here's what to know.
Photo by Diego Carneiro on Unsplash

A surefire way to appreciate the importance of a key piece of infrastructure is to watch what happens when it unexpectedly stops working. For example, most people probably thought very little about the importance of the Suez Canal, but when it suddenly became blocked in March by a grounded container ship, that changed. A typically reliable system had temporarily failed. The world noticed. 

Something similar happened beginning late last week with a sprawling, crucial petroleum transit system run by a company called Colonial Pipeline. That company discovered that it had been hit by a ransomware attack on Friday, May 7. “In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations,” the company explained in a statement on Saturday. On Monday afternoon, the company said that it is working on getting its operations back up and running. “Segments of our pipeline are being brought back online in a stepwise fashion,” it reported. 

Understandably, you may not think too much about ransomware attacks, nor about where the gas in your car comes from. Here are your questions about the situation, answered. 

What does Colonial Pipelines do?

Jet fuel, diesel, gasoline, and other petroleum products travel through Colonial’s approximately 5,500 miles of pipeline. Its operations stretch from Texas to New Jersey—covering 14 states in total—carrying in excess of 100 million gallons of fuel each day, according to the company. Nearly half of the fuel that the East Coast uses comes via the company’s operations. 

What this all means is that if you’re filling up your car on the East Coast, then there’s a chance the fuel came through these pipes. Ditto, if you’re flying from an airport like Washington Dulles or Hartsfield-Jackson Atlanta, the fuel in the metal bird could have come from Colonial; the company sends seven different airports its fuel. The military gets fuel from the company, too. 

[Related: The ship blocking the Suez is finally unstuck, but we could see bottlenecks like this again]

A map of its four main lines, plus smaller sub-lines, is visible here. Generally, the fuel flows northwards and eastward in the main lines.

Gas has not become more expensive as a result of the situation, according to Patrick De Haan, an analyst whose Twitter updates are a good source of information on the topic.  

What is a ransomware attack? 

A human hostage can be held for ransom, and so too can data. “Ransomware has been on the rise over the last several years,” says Ben Miller, a vice president with Dragos, a cybersecurity firm. “Human operators are gaining access into these environments, and they encrypt the [victim’s] hard drives and computer systems.” They want money—Bitcoin, perhaps—in exchange for setting the information free. 

“In many cases, your individual computer will display a warning message,” he adds. That same message will also appear in many other locations. A famous example of another ransomeware attack was called WannaCry.

So who did it?

It was a group called DarkSide, the FBI says

“They consider themselves a business,” says Miller, referring to DarkSide. Like any business, they want to make money, and this is their evil business model.

This BBC story includes screenshots that show the type of message that DarkSide will display on its victim’s computers. 

Expect to see more events like this in the future, with infrastructure and the connected computer systems that undergird it becoming susceptible to attack. “It’s a portent of things to come,” Miller says. 

So what makes a company susceptible to ransomware?

An organization carrying out a ransomware attack is looking for a few elements, says Shuman Ghosemajumder, the global head of artificial intelligence at F5, a cybersecurity company. The target needs to have valuable data that they’re willing to pay to retrieve, as well as the resources to fork over the ransom money. Plus, the perpetrator, like DarkSide, needs a way to access the target’s system in the first place. 

“The way that they actually get in is based on the technology infrastructure being sufficiently vulnerable that they’re able to find a way in, and then install the ransomware,” says Ghosemajumder. “Usually what that means is that you’ve got some unpatched system in your infrastructure.”

On a more local level, the event is a reminder of the importance of running the most up-to-date version of software. But while Apple, for example, makes updating your iPhone’s software pretty painless, it’s a much harder process for a large company running something as complex and potentially dangerous as a petroleum pipeline. “Usually what you see is that they’re primarily concerned with the stability and reliability of their overall business operations,” he says. “And the way that they achieve that is by using known, stable versions of software.” 

An older version of Windows, and other tried-and-true software, may be reliable from an operations perspective, and upgrading is expensive, time-consuming, and potentially introduces new problems. But relying on the older code also can be a security risk. Companies will have to prioritize how they manage this issue, from installing crucial patches to thinking about upgrading entire software versions, Ghosemajumder says. 

Are there bigger lessons here?

Yes. Public services have “a silent component” to them, says Miller, of Dragos. “Whether it is how the electric grid operates, to water, to oil and gas—they are all using the same types of computer systems.” (Colonial boasts about its “digital transformation” here.) If a system doesn’t have built-in resilience, and then it’s hit by a problem, the disruptive effects can be huge. 

“As these systems become more and more interconnected, they are becoming more exposed, and the possibility of an attack occurring on them does increase,” he adds. 

And when an attack or other issue disrupts a system that had been previously working, people suddenly start noticing. “Everyone just wants everything to work,” says Ghosemajumder. “But as soon as something breaks—whether it’s because of a security attack, or because of some oversight in terms of how a system was set-up or operated—that’s when everyone laser focuses on this particular component that’s now broken or compromised, and they start learning about exactly what it does.” 

“You can often discover,” he adds, “that very complex, modern technology infrastructures are built on top of these dependencies that are pretty old and rickety.”