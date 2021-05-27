Jim Watson/Getty Images

The US Department of Homeland Security on Thursday issued its first cybersecurity regulations for the pipeline sector following a ransomware attack on Colonial Pipeline that crippled fuel supplies along the East Coast earlier this month. The new security directive, issued by the DHS Transportation Security Administration, will require critical pipeline companies to report confirmed and potential cyberattacks to the US Cybersecurity and Infrastructure Security Agency.

"The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats," Secretary of Homeland Security Alejandro Mayorkas said Thursday in a statement. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security."

The directive also requires pipeline companies to undertake a review of their current security practices to identify any risks or gaps. Companies must report results of these reviews to the TSA and CISA within 30 days.

Colonial closed pipeline operations on May 7, when a ransomware infection was found on its computer systems. The shutdown affected the supply of gas in parts of the East Coast, with some people waiting an hour or more at filling stations or not finding gas at all. State and federal officials had warned against hoarding and panic buying that could exacerbate the problem. According to Colonial, the pipeline restarted operations on May 13 and returned to full capacity on May 17, though it took longer for the fuel supply to return to normal.

The ransomware infection at Colonial highlighted the vulnerability of the country's critical infrastructure, which has been the target of an increasing number of cyberattacks. Cities, schools and hospitals have all been hit by cybercriminals, who scramble a victim's computers and then extort a payment to decrypt them.

The FBI blamed the attack on a group called Darkside, which is believed to be based in Russia. President Joe Biden said the FBI doesn't believe the Russian government itself was directly involved in the attack.

Darkside's website has gone offline and the group is apparently disbanding.

On May 12, Biden issued an executive order aimed at strengthening US cybersecurity. The wide-ranging order includes the creation of a Cyber Safety Review Board that will convene after major incidents. Members of the Defense and Justice departments, several security agencies and private sector specialists will be on the board.

What happened?

Colonial Pipeline was hit with a ransomware attack. Bloomberg reported that hackers began the attack on May 6 by stealing about 100 gigabytes of data in a double extortion scheme that holds the data hostage and threatens to leak it. The company shut some of its operations after discovering malicious software in order to prevent it from spreading.

What's a ransomware attack?

Hackers use ransomware -- a type of malware -- to scramble a company's computer data and hold it hostage until a ransom is paid. Sometimes they employ a double extortion scheme by pilfering data and threatening to publish it.

What was Colonial's immediate response?

The company, which operates pipelines for gasoline, jet fuel and other refined petroleum products, halted pipeline operations after discovering the hack. Colonial said it "proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems."

The CEO of Colonial Pipeline later confirmed that he authorized a $4.4 million ransom payment to hackers in order to get the critical energy artery operating after it was closed in order to prevent malicious software from spreading through its systems.

In a Wall Street Journal article published May 19, Colonial CEO Joseph Blount acknowledged the decision was "controversial" but said it was in the country's best interest to get the pipeline running again. The company paid about 75 bitcoin in exchange for decryption software, the Journal reported.

"I didn't make it lightly," Blount said of the payment in his first remarks since the hack. "I will admit that I wasn't comfortable seeing money go out the door to people like this."

Colonial services seven airports and operates in 14 states. Its system is the biggest in the US, the company says, covering more than 5,500 miles. A legend on company's tanks featured on its website reads: "America's Energy Lifeline."

Who's behind the attack?

The FBI blamed Darkside, a ransomware group, for the attack. The law enforcement agency said it was notified of the hack on May 7 and is investigating alongside the company and other government agencies.

As of May 14, the group appeared to have disbanded, according to The Wall Street Journal, which reported Darkside had told associates that it had lost access to the infrastructure it needs for its activities. The group said law enforcement actions had prompted its decision, according to the Journal.

Cybereason, a security company based in Boston, wrote that Darkside focuses on targets in English-speaking countries and avoids operations in "former Soviet bloc nations." In other words, Russia likely allows Darkside to operate without interference.

"We do not believe the Russian government was involved in this attack, but we do have strong reason to believe the criminals who did this attack are living in Russia," Biden said, according to The New York Times. "We have been in direct communication with Moscow about the imperative for responsible countries to take action against these ransomware networks."

How prevalent are ransomware attacks?

They're pretty common. City governments around the US, including Baltimore's and Atlanta's, have been slammed by ransomware attacks. Hospitals have been shut down. In one case, a patient died because she had to be taken to a hospital nearly 20 miles away from her initial destination, which was dealing with a cyberattack.

Often, the victims pay to recover their data. Two cities in Florida -- Lake City and Riviera Beach -- together paid more than $1 million to unfreeze their systems. The cities paid in Bitcoin, a popular cryptocurrency. Law enforcement discourages the ransom payments.

Did the shutdown cause a gas shortage?

Federal and state officials took quick action to prevent a shortage though the shutdown did cause some motorists to fill up their tanks just in case.

A Department of Transportation agency posted a regional emergency declaration for 18 states and Washington, DC, "in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the Affected States." The declaration was designed to keep the fuel supply on the East Coast flowing.

North Carolina, South Carolina and Virginia also declared states of emergency.

Concerns over a gas shortage helped temporarily push GasBuddy, a price-comparison app, to the top of Apple's App Store, according to App Annie, although it's since slid.

What about gas prices?



Prices did rise in the wake of the shutdown, but a GasBuddy analyst told MarketWatch that the increase reflected the reopening of the US economy. As of May 27, the average price per gallon in the US is about $3.07, about 18 cents higher than it was a month ago, according to GasBuddy.

