In the spring of 2021, hackers initiated a ransomware attack against Colonial Pipeline—the largest refined oil products pipeline in the United States. This pipeline transports over 100 million gallons of fuel daily within a system extending from Houston, Texas, to Linden, New Jersey. This cyberattack created widespread disruption of U.S. fuel supplies along the East Coast, and the impact was so significant that President Biden declared a state of emergency.

This cybersecurity incident resulted in significant recovery costs, reputational damage and legal ramifications for the company. This event emphasized the seriousness of cybersecurity breaches (particularly those affecting critical infrastructure) and offered valuable insights into how organizations of all sizes can prevent and respond to similar incidents.

“It’s not just the large operators that cyber criminals are targeting; it is the small business owners as well,” INSURICA Director of Carrier Relations, Garrett Campbell said. “Cyber criminals enjoy attacking smaller companies as they have identified these businesses to be easier to penetrate as they typically do not have the proper safety measures in place and invest less in cyber security.”

The Details

In May of 2021, a hacker group known as DarkSide gained access to Colonial Pipeline’s network through a compromised VPN password. This was possible, in part, because the system did not have multifactor authentication protocols in place. This made entry into the VPN easier since multiple steps were not required to verify the user’s identity. Even though the compromised password was a “complex password,” malicious actors acquired it as part of a separate data breach.

Once the hackers entered Colonial Pipeline’s network, they likely used their access privileges to move laterally across the network’s infrastructure. During their intrusion, they stole approximately 100 gigabytes of data in two hours. The hackers also infected the company’s network with a type of malicious software known as ransomware. Ransomware encrypts critical data and deprives legitimate users from accessing it until a ransom is paid. This incident impacted many of Colonial Pipeline’s computer systems, including accounting and billing.

On May 9, the Colonial Pipeline shut down its thousands of miles of pipeline to stop the ransomware from spreading and prevent the hackers from executing additional attacks on vulnerable pipeline parts. This led to fuel shortages and panic buying across the South and East Coast. Several gas stations ran out of fuel in the company’s service area, and average fuel prices rose to their highest point since 2014. The shutdown also disrupted air travel. Due to the nature of the incident, President Biden declared a state of emergency that lifted limits on the amount of petroleum products that could be domestically transported. Georgia Governor Brian Kemp also declared a state of emergency and waived the state’s taxes on motor fuels.

The pipeline shutdown spanned from May 7-12, 2021. The company reported that normal operations resumed on May 15. In addition to shutting down its pipeline, Colonial Pipeline brought in a third-party security investigation firm. It also controversially elected to pay the 75 bitcoin ransom, valued at approximately $4.4 million at the time of the transfer. The company’s CEO noted that they did this due to the uncertainty of the breadth of the compromise and because the company wanted to accelerate the recovery time. Eventually, on June 7, 2021, the Department of Justice (DOJ) recovered approximately 64 of the bitcoins used in the payment. Due to the fluctuating value of the cryptocurrency, the recovered bitcoins were worth around $2.4 million.

The criminal hacker organization DarkSide described its actions as monetarily motivated, and experts do not believe the organization is state sponsored. The Colonial Pipeline breach demonstrated how ransomware attacks can significantly impact supply chains, how critical infrastructure can be an attractive target for cybercriminals, and how it is a necessity to have cybersecurity systems and protocols in place to prevent and respond to these types of attacks.

The Impact

Colonial Pipeline encountered numerous consequences from this ransomware attack, including the following:

• Ransom and Recovery Costs. Although the Department of Justice (DOJ) managed to recover most of the bitcoin used in the ransom payment, the change in value (combined with the unrecovered bitcoins) resulted in a significant financial loss. Additionally, the company experienced a multi-day shutdown of its pipeline, which resulted in a substantial business interruption and loss of income. The company also likely incurred expenses when it hired a security firm to investigate and respond to the cyberattack. Other expenses typically involved in these situations include public relations and crisis management costs, as well as the costs of replacing damaged hardware or software while strengthening cybersecurity. Implementing these updates can also contribute to productivity losses as system changes occur.
• Reputational Damage. Colonial Pipeline’s decision to pay the ransom was met with scrutiny as the FBI encourages organizations not to make such payments. The bureau notes that paying a ransom does not guarantee the return of the data and that paying it can incentivize malicious actors to continually engage in this illicit behavior. The ransom may also be used to fund criminal activities. Additionally, the cyberattack and subsequent pipeline shutdown resulted in a significant disruption of services widely covered by the media, ultimately damaging the company’s public perception. These long-term reputational effects can substantially damage consumers’ and partners’ trust in a business and its commitment to cybersecurity.
• Legal Ramifications. Shortly after the cyberattack, plaintiffs in a class action lawsuit sued Colonial Pipeline for negligence. The complaint stated the incident negatively impacted over 11,000 fuel retailers. Another lawsuit brought several allegations, including negligence, unjust enrichment and consumer protection law violations. A third lawsuit claimed personally identifiable information had been exposed in the incident.

While these suits were ultimately unsuccessful, Colonial Pipeline expended time and resources in responding to and defending against these legal actions. Additionally, the U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration issued a Notice of Probable Violation (NOPV) and Proposed Compliance Order to Colonial Pipeline that included proposed civil penalties of nearly $1 million. The NOPV alleged the company’s failures to adequately plan and prepare for a manual restart and shutdown operation contributed to far-reaching impacts in the United States after the pipeline went out of service.

Lessons Learned

There are several cybersecurity takeaways from the Colonial Pipeline ransomware attack. In particular, the incident highlighted these key lessons:

• Critical infrastructure must be protected. Not only disrupt business operations, but can also create safety and national security threats. These factors make critical infrastructure an attractive target to hackers, and the Colonial Pipeline incident demonstrated how a ransomware attack could have far-reaching impacts on society. It also highlighted the necessity for collaboration between the private sector and government to enhance cybersecurity measures. This collaboration can allow for streamlined communication and the swift deployment of resources if a cyberattack occurs. To promote these efforts, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires the Cybersecurity and Infrastructure Agency (CISA) to develop and implement regulations that require covered entities to report cybersecurity incidents and ransomware payments to CISA. CISA can then send resources, assist victims, spot trends, and share information to warn potential victims.
• The ransom payment dilemma and why payment is not recommended. Although it may seem like making payments allows for a faster incident recovery process—what the company’s leadership decided in this case—paying the ransom can lead to future cybersecurity concerns and other issues. For instance, there is no guarantee that the hackers will uphold their end of the deal, and the payments could incentivize future cyberattacks, fund criminal activity, and expose businesses to sanctions in some jurisdictions. Upon discovering a ransomware attack, businesses should contact proper authorities (e.g., the FBI), as their assistance can help mitigate potential losses, improve investigative processes and enhance perpetrator identification. Backing up systems and data can also reduce a hacker’s leverage in a ransomware incident.
• Good cyber hygiene with effective access control is critical. The hackers in the Colonial Pipeline incident were able to infiltrate the company’s system by obtaining a single password. The company’s system was more easily breached without multifactor authentication (MFA) access controls. Good cyber hygiene practices, including proper password storage and implementing MFA protocols, can help strengthen cyber defenses. Additionally, ensuring networks are segmented, and access permissions are regularly audited can mitigate cyber exposures.
• The importance of having an incident response plan. This cyberattack demonstrated the necessity of having a detailed incident response plan. This type of plan can help an organization establish timely response procedures to mitigate losses and act appropriately amid a cyber event. The decision to shut down the pipeline and the controversial choice to pay the ransom were areas that had significant impacts on the business, the public and the company’s reputation. A successful incident response plan could have prepared the decision makers for this scenario. The plan should outline potential cyberattack scenarios, methods for maintaining key functions during these incidents, and the individuals responsible for carrying out such functions. The plan should also provide procedures for notifying relevant parties (e.g., government authorities, clients and shareholders) of an attack. An incident response plan should be routinely reviewed through different actions (i.e., tabletop exercises) to ensure effectiveness and identify vulnerabilities. Based on the results of these activities, the plan should be modified as needed.
• Proper insurance coverage can offer vital protection. Finally, this cyberattack made it apparent that cyber-related losses can significantly impact any organization, even large companies. As a result, businesses should consider adequate protection against potential cyber incidents by securing proper coverage. Specifically, most organizations can benefit from having a dedicated cyber insurance policy. However, it is best to consult a trusted insurance professional when navigating these coverage decisions.

Contact INSURICA today for more risk management guidance and insurance solutions.

Additional Resources

Defending Against Cyber Attacks

Cybersecurity Awareness Programs: Benefits and Implementation

10 Essential Cybersecurity Controls

Creating a Cybersecurity Culture

This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2024 Zywave, Inc. All rights reserved.