World

CYBERSECURITY

Colonial Pipeline crisis in US highlights the high price of cracks in a nation’s digital armour

Colonial Pipeline crisis in US highlights the high price of cracks in a nation’s digital armour
Fuel-hungry drivers pull into a QuikTrip station which has no gasoline to sell in Atlanta, Georgia, US on 12 May 2021. (Photo: EPA-EFE / Erik S. Lesser)

A truly horrific possibility of national and even international chaos presents itself from the hacker breach at Colonial Pipeline — a company that brings nearly 50% of all petrol and aviation fuel used in the eastern half of the US to markets and customers. The problem of more such chaos is nowhere near close to being solved. Pay attention closely.

Today’s text will touch on the apocalyptic — but we’ll be leaving alone the troubling developments in the Middle East, the ructions within the decaying carcass of the Republican Party in the US, or the possibilities of actual hostilities in the Taiwan Strait or the Persian Gulf, or along the Ukraine/Russia border. Instead, we shall focus on something we really didn’t think we needed to worry about at all. 

In fact, it is something we — or at least most of us — probably didn’t even know we needed to worry about as we went about our lives, unless we were serious cyberpunk devotees or cybersecurity consultants. And this, of course, is the Colonial Corporation pipelines and ransomware fiasco. And the near apocalypse.

Flags fly in front of a Colonial Pipeline storage tank at a facility in the Port of Baltimore, Maryland, US, on Tuesday, 11 May 2021. Fuel shortages expanded across several US states in the East Coast and South as filling stations ran dry amid the unprecedented pipeline disruption caused by a cyber hack. (Photo: Samuel Corum / Bloomberg via Getty Images)

For most of us (except those living totally off-grid and using human or actual horsepower for transportation), those of us who have ever owned or used an automobile, flown in a commercial (or private) airliner, boarded a bus or a train, or used anything that has anything to do with petrochemicals, we are utterly dependent on networks of pipelines. 

The other day, I had an electronic exchange with a former colleague living in the Northern Virginia suburbs of Washington, DC, about the temporarily non-functioning fuel pipelines, and he explained that one of the major parts of the Colonial Pipeline company’s continent-spanning network actually passed just below the surface of his property, as it was constructed to feed the needs of cities further north.

These pipelines are ubiquitous — and crucial to modern life. Without them, petrol (gasoline to Americans) and jet fuel do not leave refineries and reach storage depots and on to customers like airports and thousands of petrol stations everywhere. There are other pipelines as well, taking unrefined petroleum to refineries, such as the controversial and still-unfinished Keystone XL pipeline going from Canadian oilfields to giant refinery complexes in Texas and Louisiana. A full map of all of the country’s pipelines would resemble the circulatory system of a vast, swollen dinosaur. 

A tanker delivers fuel to a Speedway petrol station in Alexandria, Virginia, US on 13 May 2021. (Photo: EPA-EFE / Shawn Thew)

Of course these pipelines are not simply a feature of the US economy. South Africa has them too, especially since the majority of the petrol and aviation fuel consumers are almost certainly located in Gauteng and the refineries are at the coast where they receive petroleum concentrate from suppliers outside the nation. Europe is similarly host to such constructions and one of the continuing irritants between Germany and the US is the former’s plan to import natural gas via a pipeline under the Baltic and North seas from Russia, with the US worrying that dependence upon these supplies would weaken German resolve on various strategic issues that can pit the Nato alliance and Russia against each other.

Some years ago, when this writer was working in Lagos, Nigeria, the main refined petrol pipeline from the port facilities inward into the city’s commercial core ruptured; the contents spewed out and burst into flame, and the resulting column of flame and smoke and the sound of the initial explosion could be seen and heard for miles. (In fact, I was called by a major news network in the US to ask if there was an ongoing coup attempt or civil war. True story. They had seen the column from real-time Google Earth-style imaging.) 

Apparently, someone with some really urgent needs for petrol and in possession of industrial-strength tools forced open a gap in the pipeline. In a flash, hundreds of people had queued up with jerry cans, buckets, and other containers for some free fuel, but, then, hundreds were incinerated when the highly volatile liquid caught fire, from a metal on metal spark or from a discarded cigarette. And Lagos was suddenly about to run out of motor vehicle fuel until the massive breach was sealed and the pipeline was operational again.

US President Joe Biden speaks in the Roosevelt Room at the White House on 13 May 2021 about the Colonial Pipeline hacking incident. The company announced that the pipeline was restarting, but supply to petrol stations may take several days to return to normal. (Photo: EPA-EFE / TJ Kirkpatrick / Pool)

Meanwhile, the average American generally pays little attention to pipelines as a source of national difficulties — until their petrol products are no longer available or their scheduled air flight is cancelled.

Refinery accidents and explosions can and do take place because the chemical processes are inherently dangerous and even massive oil spills from offshore drilling and exploration platforms can occur from time to time; but they generally do not affect price points for refined products or supply lines since there are usually multiple sources of supply, and drilling and refining companies strive to have access to sufficient quantities of the raw material (and then the finished products) on hand to ensure their production facilities are not suddenly shut down on an emergency basis. Downstream, the same planning applies. As a result, people who watch petrol prices are usually tracking product demand more than actual refining capacity. 

But what happens when the distribution of these absolutely fundamental products — refined petrol and aviation fuel — is unexpectedly sundered, as it was in Lagos, but on a much bigger canvas? And, then with still-uncertain circumstances for its consistent, full-scale restoration? Americans may now be about to learn the answers to these questions. 

While the pipeline company has announced it will resume operations on that major pipeline system sending diesel, petrol (gasoline), and aviation fuel northwards from southern refineries, panic buying and empty petrol station tanks were already in evidence in many places. And the price at the pump was already creeping up, just in advance of the big Memorial Day holiday travel weekend, portending possible panic buying in advance of the summer vacation period. 

Not surprisingly, this crisis has quickly become a growing concern for the Biden administration. It will be popularly expressed along the lines of, “Why doesn’t this administration do something about this before it hurts me and the other average guys?” — even as the president and his advisers must now also contemplate the ongoing — and worsening — tumult in the Near East. 

That may also have ongoing reverberations on fuel prices, given the way tensions and civil unrest can — and have in the past — spread from nation to nation in the Near East. While current circumstances are significantly different from earlier crises, many — including the markets — may recall the wide-ranging oil shock that came in the wake of the October War in 1973, and then the lesser shocks when hostilities erupted in the two Gulf wars. 

The Colonial Pipeline crisis has now also highlighted another aspect of modern society and the economy that is related to the omnipresent importance of fuel pipelines. And that, of course, is the now-glaringly obvious and visibly public awareness of the cyber vulnerability of such networks — and the society that depends on them.

A while back, in the wake of a number of serious cyberhacking intrusions by foreign powers (variously speculated to be Russian, Chinese, North Korean, Iranian, or garden-variety criminal syndicates) into its classified networks, the US government began undertaking more vigorous, more aggressive steps on cybersecurity for its networks. One company, Solar Winds, was contracted to do some of this critically important work, and it prepared the relevant software updates and security patches. It apparently made these fixes available to government agencies via a password-protected link that was, wait for it, “solarwind123”. 

That is a very hard password to figure out, for sure. People should take comfort in the fact that at least it wasn’t the company’s street address or phone number, but seriously, folks, not even a randomly generated password? 

At this point, it remains unclear whether those enhanced security patches were not, themselves, compromised by those who originally had gained access into those sensitive security systems and thus had triggered the problem in the first place. (By contrast, the rest of us are constantly bedevilled by imperatives from our online banking and other services to select passwords with upper and lower case letters, numbers and special characters that are not easy to suss out by malefactors and to change them often. We do it, too, even if the resulting password jumble in our lives can confound us. Solar Winds did not.)

Meanwhile, over at Colonial, a privately held company with significant investments by the Koch Brothers (major pipeline operators and funders of right-wing political candidates and lunatic raver causes), among others, the pipeline company was hit by a ransomware demand from something called DarkSide (sounds like something out of a Batman or Marvel Comics superhero movie, yes?). It was neither very funny nor comic-baroque, however. 

The intruders’ modus operandi seems to have been to attack the corporate management software and thus extract valuable, confidential, and proprietary data about the company, rather than the actual operations of its pipelines. But there was the threat of worse to come if the demanded ransom wasn’t paid, presumably in Bitcoin. The company, taking few chances, then shut down its pipeline operations, just in case. Apparently, chaos with the nation’s fuel access was deemed to be the lesser of two evils. The company is now promising to have things up and running again by the end of the week, but who really knows just how much data has been taken, or whether or not poison pills have been inserted into those electronic systems by the bad guys. 

CNBC reported most recently that, “The hacker group DarkSide claimed on Wednesday to have attacked three more companies, despite the global outcry over its attack on Colonial Pipeline this week, which has caused shortages of gasoline and panic buying on the East Coast of the U.S.

“Over the past 24 hours, the group posted the names of three new companies on its site on the dark web, called DarkSide Leaks. The information posted to the site includes summaries of what the hackers appear to have stolen but do not appear to contain raw data. DarkSide is a criminal gang [or a combination of criminal gang and an entrepreneurially minded foreign power or powers], and its claims should be treated as potentially misleading.

“The posting indicates that the hacker collective is not backing down in the face of an FBI investigation and denunciations of the attack from the Biden administration. It also signals that the group intends to carry out more ransom attacks on companies, even after it posted a cryptic message earlier this week indicating regret about the impact of the Colonial Pipeline hack and pledging to introduce ‘moderation’ to ‘avoid social consequences in the future.’

“One of the companies is based in the United States, one is in Brazil and the third is in Scotland. None of them appear to engage in critical infrastructure. Each company appears to be small enough that a crippling hack would otherwise fly under the radar if the hackers hadn’t received worldwide notoriety by crippling gasoline supplies in the United States.

“The US-based company is a technology services reseller based in Illinois. DarkSide claims to have stolen more than 600 gigabytes of sensitive information, including passwords, financial information, HR information and employee passports from it…”

In response to all of these attacks, along with the earlier hacker attacks on US government sites, the Biden administration is upgrading its responses, although some critics are arguing these attacks were virtually inevitable, given the plethora of data to be harvested and the sometimes lacklustre security or inconsistent tactics being used by potential targets. The National Security Archive, a nonprofit watchdog, reported on Wednesday, “This week’s ransomware episode involving Colonial Pipeline has exposed deep cracks in America’s digital armor. However, lost in the flurry of calls for swift action to avoid future damage is the fact that such attacks have been predicted for some time, as a sampling of government records posted today by the National Security Archive shows.

“In response to the Colonial Pipeline event attributed to the ransomware group DarkSide, the Biden Administration has announced an all-of-government effort to mitigate potential energy supply disruptions. On top of temporary actions to relieve fuel shortages, agencies such as the FBI and CISA [Cybersecurity and Infrastructure Security Agency] have released advisory documents to ‘help [critical infrastructure] owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware.’

“In addition, President Biden today signed an Executive Order designed broadly to ‘improve the nation’s cybersecurity,’ although experts are already questioning whether the anticipated measures could have prevented any of the recent serious cyber events such as SolarWinds or Colonial Pipeline.”

A bottom line from all of this is pretty simple: Expect more such attacks by outlaw groups, foreign nations or coalitions of these in various mixes, and do not expect that countermeasures are guaranteed to prevent or ameliorate the damage in advance. Novelists and futurologists are predicting much more of this, especially if it proves to be lucrative in financial terms or geopolitical ones. And ordinary consumers should be even more careful about their own passwords and the possibility of your data being hacked.

As a public service, then, here is some advice from one computer fundi: Make your own password some easy to remember variant of the word “incorrect”. That way, any time you have to type in a password, you can enter anything. The dialogue box will tell you: “Your password is incorrect.” Problem solved. DM

Gallery

Comments - Please in order to comment.

Please peer review 3 community comments before your comment can be posted

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

Daily Maverick Elections Toolbox

Download the Daily Maverick Elections Toolbox.

+ Your election day questions answered
+ What's different this election
+ Test yourself! Take the quiz