What we can learn from the ransomware attack on US Colonial Pipeline
Cornelia Meyer
The ransomware cyberattacks on the Colonial Pipeline, which carries refined products from the Gulf of Mexico up to New York Harbor, was a shock in more ways than one. The entire Colonial Pipeline system had to be taken offline as a precautionary measure late Friday.
Colonial is the largest products’ pipeline in the US, spanning 5,500 miles and carrying gasoline, diesel and jet fuel from the Gulf of Mexico to the Eastern Seaboard. It has a capacity exceeding 3 million barrels per day (bpd) and habitually carries around 2.5 million bpd. Its importance cannot be overstated for drivers and airlines alike. Several major airports, such as Atlanta Hartsfield, Charlotte, Raleigh Durham, La Guardia and others depend on the pipeline for their fuel needs.
The US has enacted emergency powers allowing for more fuel shipments to be moved overland — temporarily abolishing legal restrictions on road transport. However, no amount of road or railway transport can make up for 2.5 million bpd, and will involve major delays.
We can compare this outage to the blockage of the Suez Canal earlier this year, in as much as the longer it takes to restore operations, the bigger the impact on supplies and markets. So far, the operator of the pipeline, the Colonial Pipeline Co., has not been able to establish a timeline for when the outage can be lifted.
Gasoline prices rose and if the situation persists, airlines will have to jump through logistical hoops loading up on fuel in airports outside of the pipeline system, topping up when they get to affected airports.
US gasoline prices rose more than 3.3 percent between Friday, before the cyberattack, and early afternoon Monday CET. Prices of other affected products also felt the impact. The outage comes just as the US is on the move again thanks to a successful coronavirus disease vaccination program. While product demand is not yet at pre-pandemic levels, it is rising fast.
Initially, the ramifications of the outage are contained to consumers along the pipeline in the Mid-Atlantic and eastern states, because only a midstream asset (the pipeline) is affected. This is different from a major hurricane which can knock off a big junk of US refining capacity. However, if the outage persists, ripple effects will be felt as Gulf of Mexico refiners will need to store products, affecting production volumes and with users elsewhere lacking access.
In the meantime, and also with an eye on President Joe Biden’s $2.3 trillion infrastructure program, the US and the world will have to beef up their cyber defenses.
This is not the only attack on critical infrastructure recently. In February 2020 a ransomware attack on a gas compressor facility in the US resulted in a two-day outage. To the south, the computer system of PEMEX was brought to a halt courtesy of a cyberattack in November 2019. To the north, Energy Transfer Partners and TransCanada Corp. experienced an attack on their computer system in April 2018. And who could forget 2012, when more than 30,000 Saudi Aramco computers were compromised by a hostile cyberattack originating from abroad?
The lesson we must learn is that as we are increasingly depending on IT, we must beef up cybersecurity to keep our critical infrastructure safe — wherever in the world we find ourselves.
The writer is a PhD-level economist with 30 years of experience in investment banking and industry.