Major U.S. Gas Pipeline Shut Down Thanks to Another Ransomware Attack

Colonial Pipeline, the largest gas pipeline in the United States, temporarily shut down its operations on Friday following a ransomware attack.

A major distributor of fuel from U.S. Gulf Coast refineries to the Atlantic Coast and into New York Harbor, Colonial Pipeline has 5,500 miles of pipeline and transports 45 percent of the fuel distributed on the East Coast.

The incident underscores the need for oil and gas providers, utility providers, and other owners of critical infrastructure to monitor both their information technology (IT) networks (think business functions like email and billing) and their operational technologies (OT) networks (controlling the actual functioning of the networks that deliver goods like electricity and natural gas), as well as the connections between these networks.

What We Know About the Attack

In a statement published Saturday, Colonial Pipeline said a ransomware attack infected its IT network. As a precaution, the company also shut down all its pipeline operations, including its OT network- a separate network that controls its pipelines and distributes fuel.

As described by Kim Zetter, Colonial’s OT network uses automation systems to control and monitor the flow of fuel from refineries and tank farms into Colonial’s pipeline and from Colonial’s pipeline into the tanks and transportation facilities belonging to suppliers and distributors. Data collected by these “flow computers” on the OT network is sent to Colonial’s IT network so that Colonial can bill suppliers and distributors for the fuel they receive.

Connecting IT and OT networks performs a critical business function for Colonial (and other critical infrastructure providers) by enabling timely and accurate billing for fuel. However, that same connection could allow ransomware or another security compromise to compromise OT systems. That possibility led Colonial to halt pipeline operations.

What does this attack mean for pipeline operators and other owners and operators of critical infrastructure?

Last year, in the wake of a ransomware attack on the OT systems of a natural gas compression facility, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning operators of how hackers can move between IT and OT networks and disable assets on both networks. CISA recommends that pipeline operators consider several actions to prevent or limit these risks.

These include:

• Ensure that the operator’s emergency response plan considers cyberattacks and the potential impacts of a cyberattack on operations.
• Conduct tabletop exercises so employees can become familiar with these and other cyberattack scenarios and gain decision-making experience to prepare for the same.
• Implement network segmentation between IT and OT networks.
• Update and patch all software, including operating systems, applications, and firmware on IT network assets. Determine which OT network assets should participate in the patch management program
• Require multi-factor authentication to remotely access IT and OT networks.
• Ensure the organization can “fail over” to alternate control systems in the event of an attack.

Our Privacy, Cybersecurity and Data Management Team will continue to monitor the latest developments on this ransomware attack, and provide insights on the efforts of critical infrastructure organizations to build resilience and improve their security programs.