On Friday, May 7, 2021, the Colonial Pipeline shut down—the target of DarkSide hackers from Russia, who demanded and were paid ransom of over $5 million in untraceable cryptocurrency. Over the duration of the six-day shutdown, the hackers stopped the flow of 600 million gallons of gasoline, diesel, and jet fuel from Houston to the East Coast. As a result, at least 12,000 gas stations are reported to have run out of fuel. Colonial’s business relationships and reputation are in tatters. Its damages and liabilities from the breach are unknown and, of course, unrecoverable from the cybercriminals. While the gaslights have been flickering at the feet of Colonial Pipeline, other ransomware attacks have been mounted against other companies even in the past few days.
Cyberattacks are relevant to your business, too
In this article, I will discuss the recent malware cyberattacks and the business and legal implications for a broad range of industries, including energy, banks, healthcare providers, online retailers, law firms, and the Internet of Things (IoT), and I will offer practical tips on how you can protect yourself and your business.
I was a customer of Colonial Pipeline
I know Colonial Pipeline from firsthand experience. Before I became an intellectual property and information technology lawyer, I worked as Operations Engineer in the Oil Movements Division of the Texas City (Galveston Bay) Refinery, one of the world’s 10 largest producers of gasoline. My job was to supervise gasoline blending and custody transfer, including shipment of refined products via the Colonial Pipeline. Only the names of the refinery—first Amoco, then BP, now Marathon—and the degree of computer control have changed.
Visualize 100 million gallons of gasoline per day
It’s difficult to visualize the 100 million gallons of gasoline delivered each day via the Colonial Pipeline. (And that’s only half of the daily requirements of the East Coast.) I’ve been thinking all week about how to convey to you, the reader, the scale of the gasoline pipeline, and I hope the following discussion will be more helpful to you than anything you’ve read until now.
Go east, young gasoline!
In the industry, crude oil and refined products are measured in terms of 42-gallon barrels. The refinery where I worked processes about 600,000 barrels, or 25 million gallons, of crude oil per day, to produce about the same volume of refined products, mainly gasoline, and also diesel and jet fuel. By far the largest part of the refined products is delivered to the intakes of the Colonial Pipeline system. Other refiners also deliver batches of gasoline and other refined products to the Colonial according to tightly scheduled transport windows. Everything goes east. It’s a one-way trip. The gasoline has to meet minimum octane requirements before it leaves the refinery; there’s no way to call it back. As Operations Engineer, I had the knock engines overhauled once a month, and I put the custody transfer meters into service. (Until then, we accepted the figures provided by the gasoline buyers and the crude oil sellers without question.)
One tank covers a football field
Refinery equipment and tanks are of almost unimaginable size, much larger than human scale. The footprint of a large petroleum tank of, say, 750,000 barrels (or 30 million gallons) capacity, is larger than an American football playing field (which is 100 yards long and 160 feet wide). Petroleum tanks usually are cylindrical; the footprint is circular. A large above-ground tank is filled to a height of about 40 feet. The tank is surrounded by an even larger containment area, with a reinforced earthen dike or berm at the perimeter, sufficient to hold the entire contents of the tank in the unlikely event of a rupture or a bad valve.
Seven football fields, covered 40 feet deep in gasoline, drained daily
So, how much is 100 million gallons? Picture a complex of seven American football playing fields. Now, imagine seven tanks—one on each field—defined by a vertical wall around the perimeter of each field. Fill each and every one of those seven enormous tanks to a height of 40 feet. Now you have 100 million gallons. That’s how much gasoline is transported each and every day via the Colonial Pipeline to supply half the requirements of the East Coast.
Today’s newspapers are carrying stories suggesting alternate fuel routes. What would that look like?
Imagine 10,000 tank trucks filled with gasoline
You’ve seen large tank trucks transporting gasoline on the highway and delivering fuel to gas stations. One of the largest of those tank trucks holds about 10,000 gallons of gasoline. It would take an astonishing 10,000 trucks per day (about 400 trucks per hour, around the clock, 365 days a year) to transport 100 million gallons per day from Houston to the East Coast. Double that number of trucks to allow for a minimum of two days to complete the route. Now, double that number again to send the empty trucks back to the Houston area. We’re talking about 40,000 tank trucks, minimum. That’s far more than the nation’s entire existing fleet. And that’s what it would take to establish an over-the-road alternate to the Colonial Pipeline.
Picture tens of thousands of rail cars
Rail cars are bigger than tank trucks. A tank car holds about 30,000 gallons. It would take 3,300 tank cars per day to deliver 100 million gallons of fuel per day. A long freight train might pull 100 tank cars. Departures of two-mile long trains from Houston would have to occur hourly to match the Colonial Pipeline capacity. It would take days for the trains to reach their destinations, where they’d have to be unloaded and returned empty to Houston. We’re talking tens of thousands of tank cars.
The logistics, equipment, and labor involved in such massive overland deliveries would be mind-boggling, far beyond anything that has ever been attempted or any capabilities that currently exist.
It would take five or six Panamax ships per day to match the Colonial
While we’re discussing petroleum transport, we should mention ships, which are second only to pipelines for cost-effective delivery of large volumes.
Most petroleum tankers that enter Galveston Bay are Panamax ships (suitable for transit through the Panama Canal) that carry up to about 500,000 barrels (or about 21 million gallons) of petroleum. (That’s almost a day’s supply for a large refinery.) They are typically more than 900 feet (or three American football fields) in length.
There are even larger “supertankers” on the high seas, but they must be lightened onto other ships before they can enter Galveston Bay, diminishing their appeal.
The shutdown of the Colonial Pipeline led the Government to consider using ships to transport gasoline to the East Coast. It would not be easy or quick to start up such a shipping operation. And until it could get up and running, there would still exist the immediate need for delivery of 100 million gallons of gasoline each and every day. If 12,000 gas stations were emptied in six days, it’s good the shutdown didn’t last any longer.
Colonial Pipeline and effects of shutdown
The six-day shutdown of the Colonial Pipeline resulted in shortages on the East Coast, and it also triggered at least partial shutdowns of large refineries including the 600,000 barrel/day Motiva refinery in Port Arthur, Texas. Notwithstanding Colonial’s vaunted storage tanks, thousands of gas stations in the Southeast ran dry. Hoarding behaviors were seen.
Nothing simpler than a pipeline
A pipeline is a pretty simple thing. The biggest part of the Colonial system is one very large pipe—40 inches in diameter and about 1,100 miles long—delivering gasoline from Houston to Greensboro, NC. A parallel 36 inch line delivers diesel, heating oil, and jet fuel along the same route. Two smaller lines run north from Greensboro—one to the New York City area (specifically, Linden NJ) and one to Baltimore. Many airports and terminals are supplied along these routes. There also are a lot of storage tanks along the way. Colonial itself boasts 28 million barrels (1 billion gallons) of storage tank capacity to help deal with fluctuations in supply and demand. That might sound like a lot of storage, but the recent DarkSide ransomware shutdown shows the difficulty of delivering gasoline to where it’s needed.
The Colonial Pipeline system is popularly stated to be about 5,500 miles in length, but that has to include the combined lengths of the four lines and the spurs to terminals and airports. For practical purposes of delivering fuel from the Houston to New York City, the greatest essentially continuous length is more like 1,600 miles from point A to point B.
Who needs computers?
When the Colonial Pipeline was built, starting in 1962, with transport beginning in 1963, it was an entirely mechanical system comprising large pipes, pumps, valves, and tankage. It was big news, but it has not been entirely foolproof. Leaks have occurred, some of them large, resulting in substantial EPA fines. Computers have been implemented over the years for precision control, measurement, and monitoring. Valves are computer-controlled and powered by electricity. Sensors, meters, and leak detectors all rely on computers.
One might think that it would be easy to revert from a computer-controlled system to the original manual system. One would be wrong. We love the advantages of computers, but we pay a price when systems fail. At least some of the restart was in a manual mode. It took days, and even then, the company sent out troops of workers to monitor the pipeline, some mobilizing on foot, with others watching from vehicles moving over land or through the air.
They feared the millennium
The recent shutdown is not the first. As the calendar advanced from one millennium to the next, the Colonial Pipeline was deliberately shut down by prearrangement for a few hours on each side of midnight in case of an electrical failure. There also have been brief reductions caused by hurricanes. But six days is the longest Colonial shutdown in many years, if not in the entire 60 year history of the system.
Cyberattacks and your business and legal risks
I promised above to discuss not only the Colonial Pipeline cybersecurity hack but its business and legal implications for a broad range of industries, including energy, banks, healthcare providers, online retailers, law firms, and the Internet of Things (IoT).
So you don’t run a pipeline?
You don’t run a pipeline, you say. Yes, the ransomware attack hit Colonial Pipeline hard, paralyzed it for most of a week, and did long-lasting damage to its business relationships and reputation. But Colonial is not a custodian of much in the way of confidential information or intellectual property. The cyberattack did not reveal financial data or account information. No money was stolen. No identities were taken. No websites were compromised. No healthcare records were violated. No attorney-client privileged communications were released. In the end, Colonial was “only” a pipeline, albeit the nation’s largest, and not a network of private records, financial accounts, or home security systems (such as might be reached via the IoT). Even if you don’t run a pipeline, you might have assets that are vulnerable.
Have you seen your new insurance premiums?
Among other effects of the rash of ransomware incidents, premiums for cyber insurance are likely to rise.
According to a Washington Post article published May 12th, a cybersecurity expert warned U.S. lawmakers last week that the world is on the cusp of a “pandemic of a different variety,” namely, a ransomware crime wave against businesses.
Christopher Krebs, former head of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, testified on May 5th before the House Committee on Homeland Security that the form of malware called ransomware has become more prevalent than ever. Businesses and other organizations are at risk of devastating attacks.
Two days later, the Colonial Pipeline was hit. It was the largest known cyberattack on any company in the U.S. energy industry. And it’s a relatively simple operation, compared to refineries and electrical grids.
It’s extortion, I tell you!
The incident, which instigated the shutdown described above, is one of the latest in ravaging ransomware attacks launched by criminal organizations that operate outside the reach of America’s legal systems. It’s extortion. And they’re getting away with it.
An increase in the number of ransomware threats is inevitable. Businesses must ramp up efforts to secure their online networks.
“Cybercriminals have been allowed to run amok while governments have mainly watched from the sidelines, unclear on whether cybercrime is a national security-level threat,” Krebs told lawmakers. “If there was any remaining doubt on that front, let’s dispense with it now: Too many lives are at stake.”
What’s a ransomware attack?
Ransomware, a malicious computer code that hackers deploy to block an organization’s access to its own computer network to extort a ransom, is one of the most common forms of malware.
Let’s go phishing
Hackers may barrage employees with phishing emails, persuading the user to download a file or visit an infected website, unleashing the hostile malware. It’s called spear phishing.
According to the Washington Post, once the criminals have seized control of the network, the criminals provide a deadline to make a payment, and if it is not met, they can lock the network from their target or publicly share sensitive data.
I can’t access the company network!
Such attacks have reached a record high recently, with nearly 400 assaults on critical infrastructure in 2020.
On May 7th, Colonial Pipeline announced it had shut down the system that carries half of the East Coast’s fuel supplies. The company has admitted that it was hit by a ransomware attack, but it has shared little about how cybercriminals broke into its network. The most likely point of entry would have been through a phishing attack against employees. One click on a tantalizing URL link or one download of an attachment could have brought down the pipeline.
Life on the DarkSide
The FBI confirmed Monday that the group responsible is known as DarkSide, a Russian or Eastern European criminal gang.
Hell no, we won’t pay!
Initial reports were that Colonial would refuse to pay the ransom, but later reports are that Colonial paid $5 million in cryptocurrency. And even that wasn’t much help. The criminals apparently provided some level of relief, but it was too slow, and Colonial had to do much of the recovery through its own efforts and at its own additional expense.
Why are businesses vulnerable to attacks?
Much of America’s aging infrastructure—including computer systems used by businesses—was built long before online networks used today came into existence, resulting in vulnerabilities as companies and their employees become increasingly digital.
Pathological need to connect
“The underlying enabling factors for this cybercrime explosion are rooted in the digital dumpster fire of our seemingly pathological need to connect everything to the Internet combined with how hard it is to actually secure what we have connected,” Krebs said in his testimony.
In addition, businesses have limited resources available to shore up their cybersecurity in the face of a threat.
We accept cryptocurrency
With the advent of cryptocurrency and expanding networks of criminal groups like DarkSide, ransomware is a big enterprise, outstripping the development of protective measures.
Cryptocurrency, a form of digital cash, is unregulated in many jurisdictions, making it more difficult to track. Hackers have even developed customer hotlines for their targets. This makes it easier and more tempting for victims to go down a bad path.
Ransomware as a service
“Ransomware-as-a-Service is big business and we are not surprised groups like DarkSide are capitalizing on extortion techniques that are quickly becoming a hallmark for many eCrime actors,” Matt Trushinski, technical director of cybersecurity firm Arctic Wolf, wrote in an email to the Washington Post.
How much could a ransomware attack cost your business?
Cybercrime has far-reaching and often hidden effects. This makes it hard to quantify the toll taken by ransomware attacks. In part, this is because many attacks go unreported. Few businesses desire to publicize the fact that they have been victimized. But it is generally agreed that the cost has to be in the billions of dollars.
How much would you pay to reopen?
Hacker gangs can demand any sum of money they believe a company will pay to get back online.
FBI Special Agent Jonathan Holmes said at a CISA cybersecurity summit last year that ransomware attacks began to rise about a decade ago.
“Back in 2013, only your one computer would be affected by ransomware. Fast forward to 2015 — we began to see ransomware actors targeting enterprise computer networks,” Holmes said.
Early on, he said, law enforcement saw demands in the hundreds of dollars. But by 2015, demands were in the tens of thousands — and they’ve steadily increased since, Holmes added.
What’s $300k between friends?
It has been widely reported that the average payment following a ransomware attack in 2020 rocketed up 171% to $312,493 compared to $115,123 in 2019.
“Most recently, we’ve seen ransom demands in the order of the millions of dollars range,” Holmes said at the summit.
What can you do to deter a ransomware attack?
A Forrester cybersecurity specialist interviewed by the Washington Post advises “quick wins” including strengthening passwords, formulating and testing a response plan in case of an emergency, and implementing multifactor authentication (which requires two or more levels of verification before a user can sign on to the company’s network).
Quick wins for starters
These basic security-enhancing steps can be taken quickly, while more substantial measures are considered and implemented.
According to a CNN article of May 13th, at the “policy front” late last month, a Ransomware Task Force of representatives of technology firms submitted an 81-page report to President Joe Biden. Recommendations include aggressive enforcement, the establishment of cyber response and recovery funds, and the regulation of cryptocurrency. But the report urges little more than the creation of a “national awareness campaign” that would provide security awareness training in organizations. It would do little to protect against the primary point of attack, which is often done by hackers through phishing emails targeted at employees.
The Government is here to help
Following the Russian and Chinese hacking operations targeting U.S. federal contractor SolarWinds and Microsoft, the Justice Department announced earlier this month that it would launch a four-month review of its approach to fighting malicious cyber activity, including ransomware attacks. But if you’re a business owner or manager, you can’t afford to wait four months or more to see if the Government will protect you and your business.
Similarly, on May 12th, President Biden signed an executive order mandating minimum cybersecurity requirements for federal contractors and requiring service providers to tell the government about cybersecurity breaches that could affect U.S. networks. That’s fine, insofar as it goes, but it does little to shield businesses or to arm them to protect themselves.
Cyber questions for you
Here is a list of cyber questions you may wish to ask yourself:
- How safe are you and your business from cyberattack?
- How solid are your agreements with your software vendors and IT service providers?
- Do you have a written policy in place that if followed will help to deter attacks and that, even if violated, will establish that at least you exercised reasonable care to safeguard confidential, private information?
- Do you have procedures ready to provide any notice to others, as might be required by agreement or by law in the event of a breach?
- Do you have cyber insurance with terms that will actually be useful in the event that you might need to file a claim?
Here to serve you
The attorneys of Beem Patent Law Firm stand at the intersection of technology, business, and law. Call us at 312-201-0011 whenever we can be of service to you and your company.