The May 7 cyberattack on the Colonial Pipeline Co. is receiving massive attention for the five-day shutdown’s effect on gasoline shortages and panic-buying. But what about the physical safety of pipes that also carry such products as jet fuel and heating oil along the Chattahoochee River and beneath hundreds of metro Atlanta lawns and streets? Did the hack cause, or have the ability to cause, any leaks or damage to the pipeline, or limit the operator’s ability to detect such problems?
The silence in response to those questions — from Colonial, from the federal regulatory agencies that supervise its safety and security, and from a pipeline industry trade association — illustrates what some activists and officials say is a fragmentary and lax system that leaves America’s pipelines vulnerable to more and worse assaults, and communities in the dark.
The Pipeline Safety Trust, a watchdog group based in Washington state, has no information that the Colonial hackers caused any leak, according to Rebecca Craven, the group’s program director. But, she added, there are also few mandatory reporting requirements, just like there are few mandatory requirements for cybersecurity against such hacks, which means the full story may not yet be known.
“So we don’t know that they tried to take control of the operation part of the computer system, but certainly an attack like that would have the capacity to get to the physical control of the pipeline operation system and change pressures or open or close valves or any of those things that could cause damage. So yeah, that’s a concern,” said Craven.
Other infrastructure hacks have given the watchdog group concern, said Craven, citing a February incident where someone broke into a Florida city’s water treatment plant computer system and attempted to add a toxic level of chemicals to the water supply.
Previous non-electronic incidents of leaks and damage to Colonial pipelines underscore the concern, Craven said. The East Coast saw similar gasoline panics in 2016 following a massive pipeline leak in Alabama, which was soon followed by a fatal pipeline explosion in the same state caused by a construction crew. Colonial is still in the midst of controversy over a pipeline leak in North Carolina last year that spilled over 1.2 million gallons of gasoline and which its systems reportedly failed to detect.
“The lack of mandatory requirements [for pipelines] is an issue. There are that kind of mandatory cybersecurity requirements in the electric grid world,” said Craven. “It’s way past time that there was a uniform standard of security that these operators need to meet.”
That call was echoed May 10 by Richard Glick, chairman of the Federal Energy Regulatory Commission, the body that oversees the business side of pipeline operations and expansions.
“The cyberattack against the Colonial Pipeline system, which provides nearly half of the fuel supply for the East Coast, is a stark reminder that we must do more to ensure the safety of our nation’s energy infrastructure,” Glick said in a written statement issued to the public with the support of fellow Commissioner Allison Clements. “… It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.”
Did the cyberattack affect pipeline safety?
In the current system, it’s hard to get even a straightforward answer to what is known and unknown about the pipeline damage possibilities of this particular hack. The reported focus of the attack was gaining a ransom for stolen data, but details remain scarce. Colonial, which is based in Alpharetta, would only refer to written statements on its website about the shutdown, none of which directly addressed the possibility of leaks or damage. One May 11 statement did suggest physical security concerns: “Consistent with our safety policies and regulatory requirements, Colonial has increased aerial patrols of our pipeline right of way and deployed more than 50 personnel to walk and drive ~5,000 miles of pipeline each day.”
Chattahoochee Riverkeeper, an Atlanta-based environmental nonprofit, works with Colonial on emergency response drills to prepare for any leaks along the river. Jason Ulseth, a staff member at the nonprofit, said his group was curious about the possibility of damage from the hack but has not heard any warning from Colonial. “We have no indication there’s any threat to the Chattahoochee River with this cyberattack and feel very confident that Colonial Pipeline would notify us” if there were, he said.
The Association of Oil Pipe Lines, an industry trade organization based in Washington, D.C., referred questions about the May 7 incident and the general threat of cyberattacks to Colonial and cut-and-pasted an email containing one of the company’s press releases.
Federal regulation of pipeline safety and security is split between two agencies. One is the U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA), which did not respond to questions about the Colonial attack’s physical safety effects. The other is the Transportation Security Administration (TSA), whose entire initial response said, “That is a question for Colonial Pipeline.”
When reminded that the TSA is responsible for federal oversight of pipeline security, an agency spokesperson responded with a statement about its general work, including expanding its Pipeline Security Branch from six to 34 total-time positions in the wake of a 2019 controversy about understaffing. “We know you asked another question, and we are working to get an answer,” the spokesperson added, saying that would take time to coordinate with various federal security agencies.
Beneath local streets
Colonial and another company, Products (SE) Pipe Line Corporation (until recently known as Plantation), have three petroleum pipelines running through neighborhoods and along waterways in the metro area, including through Brookhaven, Buckhead, Dunwoody and Sandy Springs. Depending on the pipe and the timing, they may carry gasoline, diesel fuel, jet fuel, heating oil and bio-diesel or ethanol.
They are part of much larger networks, with Colonial’s running between Texas and New York, and PPL’s between Louisiana and Washington, D.C. Kinder Morgan, PPL’s parent company, said its pipelines remained in operation during Colonial’s shutdown and aimed to increase capacity and defer maintenance to help with gas supplies.
Petroleum pipelines, such as the Midwest’s Dakota Access pipeline, are increasingly controversial nationwide for leaks and property-takings. Earlier this year, President Biden revoked the permit for an extension of Keystone, another controversial Midwestern pipeline. In 2016, Georgia opposition halted Kinder Morgan’s planned Palmetto pipeline between Florida and South Carolina.
The pipeline industry says its leaks are relatively few and small, and that underground pumping of fuel is much safer than the alternatives: railroad cars and tanker trucks. Pipeline operators have automated systems to detect unusual activity within the pipes and inspectors who walk on and fly over the routes. They also run devices called “smart pigs” down the pipes. The devices have sensors that can detect even small cracks or imperfections.
Such methods found defects or flaws in Colonial pipelines under Sandy Springs streets that were repaired in 2016 and 2017. It has been more than 20 years since the last major leak in local communities: a 1998 Colonial pipeline spill of more than 30,000 gallons of gasoline along Sandy Springs’ Morgan Falls Road. That leak was spotted by an employee of a nearby recycling center, not Colonial’s technology.
Rising concerns in cyberattack era
Watchdog groups like the Pipeline Safety Trust say the leak detection and reporting systems have flaws of their own. Only certain types and sizes of leaks may be disclosed, and detection technologies may fail or not even be present. Among the issues raised in the current North Carolina spill controversy is that leak detection technology was only recently required along the entire length of pipelines and operators still have several years to phase that in, and there are no federal requirements for the sensitivity of such technology. The regulatory split between PHMSA and the TSA has drawn criticism as well.
Such concerns have only increased with the rising threat of cyberattacks by criminals, terrorists or foreign governments. In 2018, TSA issued a new “Pipeline Security Guidelines” document that included cybersecurity, but its provisions remain largely voluntary. In 2019, the U.S. Government Accountability Office issued a report identifying several weaknesses in the TSA’s program, including only six full-time equivalent staffers in its Pipeline Security Branch to conduct reviews on 2.7 million miles of pipeline, in conjunction with many more contractors. Among other concerns were that the staffers lacked cybersecurity experience and that the agency was not using the latest standards and risk factors. The TSA has since expanded the staffing level and in February announced better coordination with PHMSA, the federal agency that oversees pipeline safety.
The FBI says Colonial was attacked via DarkSide, a kind of blackmail platform that uses so-called ransomware. The hackers use DarkSide to break into a software system, encrypt data to make it unusable and require the owners to pay a ransom to get the data unlocked or to prevent the data from being publicized. It remains unclear exactly what data was affected in the Colonial cyberattack. The company said in one statement that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Ransomware attacks can affect the operation of computer systems. The most notorious local ransomware incident, a 2018 cyberattack on the city government of Atlanta, not only permanently ruined massive amounts of computer records; it also took down systems for paying water bills and court fines.
And ransomware is just one kind of cyberattack. There is also the possibility of hackers tampering with or controlling systems for their own ends, like whoever played with the chemicals in the water supply of the Florida city.
“Those sorts of cyberattacks are of concern for any utility or pipeline system that’s operating based on a computer system,” said Craven at the Pipeline Safety Trust. “So yeah, we’ve been concerned about it.”