East Coast Oil Emergency
Colonial Pipeline Company was shut down completely by ransomware last week. The news went public on Saturday though it’s suspected the attack happened on Thursday. At least 17 states declared an emergency on Sunday evening because the east coast relies on Colonial for about 50% of the diesel, gasoline, and jet fuel.
On Sunday May 9th the company announced that some ‘lateral’ lines are operating though I cannot say what that means other than it sounds promising. However what’s really concerning is their comment in Sunday evening’s update:
The Colonial Pipeline operations team is developing a system restart plan.
This statement constitutes a failure of their disaster recovery plan. It may even be negligence if you consider how many states are at risk of a major shutdown. You’re probably thinking a restart doesn’t sound so bad given how often turning things off and on again solves the average issue but you’re focusing on the wrong word. Plans should be developed before a disaster and implemented during it. Worse yet major pipelines of this nature require inspections before they can start back up. In this case, the inspections are unavoidable given Colonial’s history of explosions. IT restoring their systems is simply step one and clearly they are not ready to take step one yet.
The original timelines projected the east coast shutting down by Tuesday though the emergency order allows truckers to drive unlimited hours to transport the fuel. Basically drivers in 18 states can work extra or more flexible hours when transporting gasoline, diesel, jet fuel and other refined petroleum products aka some of the heaviest and most dangerous trucks on the road. And they won’t be sleeping. This is that much of an emergency (and possibly a separate, side emergency as well).
The Covid19 relief bill includes $2 billion to improve cybersecurity. This funding addresses the Solarwinds replacement strategy since the US government is rebuilding all systems that connected with any Solarwinds monitoring system. One can imagine that this directive translates into a significant amount of time and work to rebuild their infrastructure. Obviously the government is taking cyber-security seriously so the timing of this attack must hit extra hard in Washington.
The accused Darkside hackers commented on the dark web (see here and here for their repeated statements if you’re not on the dark side):
We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
Our goal is to make money, and not creating problems for society.
From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
Ransomware is typically targeted since you want to ensure the payout is worth the effort. Darkside is a Russian hacking group apparently eager to avoid any geopolitical implications of this event. There is no proof at this point that they are part of the Russian government though the target on their back is larger than most now given the far reaching implications of shutting down Colonial and that they are Russian. Their statement implies they don’t want to create social unrest but they haven’t published the decryption keys or otherwise done anything in good will to help the situation. Many people are calling this act of war by Russia though I believe that is too extreme. Perhaps we can try diplomacy first?