Colonial Pipeline said the attack took place Friday and also affected some of its information technology systems. The company transports gasoline, diesel, jet fuel, and home heating oil from refineries primarily located on the Gulf Coast through pipelines running from Texas to New Jersey.
The Alpharetta, Georgia-based company said it hired an outside cybersecurity firm to investigate the nature and scope of the attack and has also contacted law enforcement and federal agencies.
“Colonial Pipeline is taking steps to understand and resolve this issue,” the company said in a late Friday statement. “At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”
Oil analyst Andy Lipow said the attack’s impact on fuel supplies and prices depends on how long the pipeline is down. An outage of one or two days would be minimal, he said. Still, an outage of five or six days could cause shortages and price hikes, particularly in an area stretching from central Alabama to the Washington, D.C., area.
Lipow said an essential concern about a lengthy delay would be the jet fuel supply needed to keep significant airports operating, like Atlanta and Charlotte, North Carolina. The precise nature of the attack was unclear, including who launched it and what the motives were. A Colonial Pipeline spokeswoman declined to say whether the company had received a ransom demand, as is common in attacks from cyber-criminal syndicates.
Ransomware scrambles a victim organization’s data with encryption. The criminals leave instructions on infected computers to negotiate ransom payments and, once paid, provide software decryption keys. While there have long been fears about U.S. adversaries disrupting American energy suppliers, ransomware attacks are much more common and soaring lately. Mike Chapple, teaching professor of IT.
Analytics and operations at the University of Notre Dame’s Mendoza College of Business and a former computer scientist with the National Security Agency said systems that control pipelines should not be connected to the internet and vulnerable to cyber intrusions. “The attacks were extremely sophisticated, and they were able to defeat some pretty sophisticated security controls, or the right degree of security controls weren’t in place,” Chapple said.