Cars lined up for hours at gasoline stations in the nation’s southeast amid the shutdown of the Colonial petroleum products pipeline due to a ransomware attack underscore the continuing threat of cyberattacks.
The American Petroleum Institute told media this week the incident underscores the vital importance of maintaining the nation’s pipeline infrastructure and developing additional pipeline infrastructure. The industry association also pointed out that cyberthreats are nothing new to pipelines, indeed to any industry.
Any new regulations intended to address pipeline cybersecurity would be premature, the association said, saying flexibility is needed to allow companies to address the constantly evolving technology, hardware and threats.
A spokesperson for the Interstate Natural Gas Association of America told the Reporter-Telegram by email, “Natural gas pipelines are critical infrastructure that move one-third of the energy consumed daily in the United States. INGAA member companies work around-the-clock to secure and protect this vital transportation network and the technology systems that operate it to ensure safe and reliable energy delivery to the hundreds of millions of Americans who rely on us. Our members’ cybersecurity protections include implementing standards set by TSA and NIST, on-the-ground assessments administered by CISA, intelligence sharing with numerous government and industry partners, and establishing a security culture within their organizations with all employees active in prevention of cybersecurity threats.
“Following the cybersecurity attack on Colonial Pipeline, our members began monitoring their systems with enhanced vigilance and taking actions such as verifying their cybersecurity protections and backups were operable and scanning their systems for indications of the type of intrusion that was reported to have impacted Colonial. We are not aware of any impacts to natural gas pipelines as a result of this cyberattack. As we learn more about this recent event in the coming days and weeks, INGAA members are committed to continuing our efforts to identify and implement opportunities to further enhance our cybersecurity programs.”
Pipelines sought to assure that they have taken and continue to take action to protect their infrastructure from threats.
Kinder Morgan, which has ownership of the Products (SE) Pipeline, formerly Plantation Pipe Line Company, said the pipeline remains online and in full service and is currently working with customers to accommodate additional barrels during Colonial’s downtime.
“We will continue to work under industry best practices and in coordination with our customers and regulators as the situation evolves,” the company told the Reporter-Telegram in a statement.
Energy Transfer told the Reporter-Telegram in an emailed statement that the company “has a robust cybersecurity program that is deployed at all levels of the enterprise to keep our assets secure. Continuous training, strong identity and access management structures, supply-chain security assessments, endpoint protection, network segmentation, and a Security Operations Center work together to ensure the confidentiality, integrity and availability of our systems.”
Energy Transfer also cited its cybersecurity initiatives on its website’s homepage in the aftermath of the Colonial Pipeline shutdown.
Asked what impact a similar attack on a crude oil or natural gas pipeline would have, Rob Roberts, director in Opportune LLP’s process and technology group, told the Reporter-Telegram in a telephone interview that a crude oil shutdown would have a softer impact. He explained that crude oil is far up the supply chain and that refineries have a supply cushion that would mitigate any impact for a couple of weeks.
As to natural gas pipelines, he said Texans got a taste of a potential shutdown in February thanks to Winter Storm Uri.
“Depending on the season and where (the attack) was located, it would have an impact on power generation,” Roberts said. “Even in summer, we k now ERCOT has difficulty balancing supplies if a plant goes down.”
The larger companies are addressing cybersecurity, he said. The industry has been undergoing a technology transformation, adopting digital technology and placing cybersecurity at the top of their efforts, training employees and hardening systems.
“Many organizations throw in their own phishing attacks to test employees,” he said.
Technology changes so rapidly, he said, that by the time proposed legislation to address specific threats gets out of committee, those threats have become obsolete.
Other challenges include the pipeline systems themselves. The Colonial pipeline is 550 miles, but Roberts noted there are shorter lines that interconnect with it all along the route. Kinder Morgan mentioned its PPL line, and Roberts pointed out that was the merger of pipelines with different systems, meaning information technology management had to cover “10 bases instead of two.”
Today, it’s impossible to disconnect the oil patch – drilling rigs, pumping units and tank batteries are all capable of sending data to engineers and geologists hundreds if not thousands of miles away. And upstream and midstream companies can also communicate through digital technology.
Without strong and ever-evolving cybersecurity in place, Roberts cautioned that interconnectedness “could be their downfall.”