4 min read

US Colonial Pipeline Attack - Consequences for the Security of Critical Infrastructure in Europe

Read more

By Brett Randles

|

Published 27 May 2021

Overview

The news was once again awash with headlines of a serious cyber-attack after the story broke that Colonial Pipeline, one of the largest pipelines in the US, had been severely impacted after falling victim to a ransomware attack.  The pipeline stretches 5,500 miles from the Gulf Coast all the way up to New Jersey and is said to carry 2.5 million barrels a day through 14 states. This equates to 45% of the East Coast's supply of diesel, petrol and jet fuel as well as supplying seven different airports.   

The news was once again awash with headlines of a serious cyber-attack after the story broke that Colonial Pipeline, one of the largest pipelines in the US, had been severely impacted after falling victim to a ransomware attack. The pipeline stretches 5,500 miles from the Gulf Coast all the way up to New Jersey and is said to carry 2.5 million barrels a day through 14 states.

This equates to 45% of the East Coast's supply of diesel, petrol and jet fuel as well as supplying seven different airports.

 

Ripple Effect

As a result of the attack, the pipeline was shut down for six days which led to fuel shortages across the eastern coast as well as a state of emergency being declared in 4 separate US States. The shutdown sparked a dramatic spike in demand for fuel, pushing prices to the highest levels in a number of years, leaving many without fuel.

Colonial became aware of the incident on the morning of 7 May 2021 and later that evening a decision was made to pay the ransom demand in the amount of $4.4 million. The company managed to restore service on the pipeline and as of 15 May, fuel was being transported at normal levels.

The intrusion of Colonial Pipeline is the latest addition to a growing list of similar high profile cyber-attacks that the US is facing from threat actors. Notably, there have been recent attacks on solar power firms, federal and local government agencies and even police departments which is indicative of the prevalence and severity of ransomware attacks.

However this latest incident, although brief, is a stark demonstration as to the impact that such an attack can have on a nation’s critical infrastructure and just the loss of profits to an online business. Even though the ransom was paid within a day and the company took a number of mitigating steps in response to the attack, the pipeline remained out of action for a number of days and the effect on ordinary citizens was felt far and wide.

 

Threat Actors with a Conscience?

It was recently confirmed by the FBI that the group of hackers known as Darkside were responsible for the incident. Darkside, believed to be located in Eastern Europe, are a known criminal group to the cyber world who specialise in these types of attacks and they typically share this malicious software with lesser known affiliates, for a small fee.

Interestingly, in response to the media backlash, Darkside published a statement on its website stating that "Our goal is to make money and not creating [sic] problems for society," they also described themselves as “apolitical” and that "We do not participate in geopolitics, do not need to tie us with a defined government and look for... our motives…"

 

Consequences for Europe

There has been a noticeable effort to bolster the resilience of the energy system in Europe, although some work still remains. The attack on Colonial only adds volume to the call for new regulation on critical infrastructure. In Europe, providers have faced a limited number of requirements under applicable cybersecurity legislation, the Network And Information Systems Directive (“NISD”) - as well as legislation specific to certain sectors.

NISD is relevant to an organisation if it is an essential service or if they are a digital service provider. Principally, those in the critical sectors of financial services, health, water, energy, transport and telecommunications will be required to ensure that appropriate controls are in place. This includes applying minimum cyber security protocols and punctually reporting incidents as they occur. There is a maximum penalty of £17 million to be introduced for all contraventions of the NISD, however it is also possible that additional sanctions relating to other aspects of contraventions under other applicable laws, including the GDPR may apply.

It is likely that stricter cyber security rules will be forced on European companies when a proposal by the European Commission to strengthen the current regime is passed. In the draft law, should an energy firm fail to implement security audits, have incident response policies and verify the security of their suppliers, they risk being fined up to 2 percent of their annual turnover. The EU is also working on a "network code" on cybersecurity for electricity firms and a similar code for gas is also in the pipeline.

From a European perspective, it would appear that the intention is sound and that a number of systems and policies are being rolled out to in an attempt to stay relevant and up to date.

However, whether it is enough remains to be seen and it is presumably only matter of time until Europe finds out and experiences a similar attack on critical infrastructure to the Colonial incident.

Author