Vulnerability of Energy Pipelines to Cyber Attack Is a National Security Issue

(AP Photo/Rich Pedroncelli, File)

The shutdown of the Colonial Pipeline stretched into its fourth day on Monday with the owners of the petroleum pipeline and the Biden Administration releasing more information to the public about what has happened, the possible consequences to states in the eastern third of the country, and what steps are being taken to address both the cause of the shutdown and the consequences.

Just so no one would panic, yesterday the NYT reassured everyone that there was plenty of supply from tank farms and no shortages were anticipated:

Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into major storage tanks, and with energy use depressed by the coronavirus pandemic, the attack was unlikely to cause any immediate disruptions.

I posted a Tweet late on Monday predicting gas lines in 3-5 days. We called out some remembrances of the Carter years here yesterday.

Here are some of the responses to my prediction:

This is a more serious problem than is being acknowledged if for no other reason than it demonstrates a weakness in the security of domestic energy systems that are vital to keeping the United States economy functioning during a true national crisis.

The Colonial Pipeline is a privately owned and operated system of more than 5500 miles of total piping that originates at refineries in Texas. The pipeline delivers various fuels and petroleum products to consumers throughout states in the eastern third of the country and terminating in New Jersey. It delivers more than 100 million gallons (2.5 million barrels) of various materials on a daily basis at numerous “outlets” along its path, and many of these products reach their destination on a “just-in-time” inventory management basis.

I happen to have a very SMALL amount of experience in the “hard commodity” energy trading business pre-COVID that included buying and selling supplies such as aviation fuel and other types of products that travel in the Colonial pipeline. At any given point in time, the pipeline has thousands of separately owned quantities of various types and grades of products moving through it. The pipeline operator keeps the items separated by placing quantities of water in the pipeline in between the separately owned petroleum products — oil and water don’t mix. Aviation fuel, gasoline and diesel for automobiles, and home heating oil all travel through the pipeline in separately owned slugs, spaced out by a few thousand gallons of water between them. Sometimes the items in the pipeline change ownership while in transit as wholesalers buy and sell material in the pipeline depending on the needs of their customers.

The pipeline shutdown creates difficulties at both ends of the supply chain. The companies expecting to take delivery of product out of the pipeline on a particular day and at a particular location now have their orders unfilled because the product will not arrive on time.

The refinery transforms crude oil into petroleum products based on orders from wholesalers. Those products flow out of the refinery and into the pipeline on a daily basis pursuant to a schedule. The refineries don’t shut themselves down just because the pipeline closes. They divert the product to tank farms near the refinery — but the capacity there is limited. Soon those tank farms fill up, and that leads to refinery shutdowns. These are not systems that can simply be turned back on again with the flip of a switch.

The supply problem on the consumer end can temporarily be overcome by drawing from excess product held in tank farms at various regional locations along the route of the pipeline.  The inventory levels in the tank farms will decline so that the current demand is met.  But those inventories will RAPIDLY shrink because the country doesn’t automatically curtail its usage of petroleum products because a pipeline shuts down. Usage continues unabated until — there’s no more gas to use.

The Biden Administration put in place a minor stop-gap measure late on Sunday by declaring a “Regional State of Emergency.” But it was only the Department of Transportation, and the only real effect of the declaration was to lift some restrictions on truck drivers so that they can drive more hours and days on a short-term basis if they are hauling petroleum products.

But it’s not like you can make petroleum tanker trucks appear out of thin air to transport the 100 million gallons of various fuel products that were delivered EVERY DAY in the Colonial Pipeline. A typical big-rig tanker truck holds approximately 10,000 gallons. All Dementia Joe needs to do is find about 10,000 of those kinds of tanks parked somewhere unused and his problem is solved — at least as long as the diesel to run those trucks holds out.

Railway tankers will also be pressed into service, those take some time to get positioned, leased, and put into use with all the necessary paperwork for suddenly carrying hazardous materials.

The work necessary to put these alternative delivery systems into play will fall on the industry. Delta Airlines has contracts with wholesalers to deliver JetA to its tank farm in Atlanta. The wholesaler with that contract has to find JetA to deliver to replace the JetA it expected to come out of the pipeline. Fed Ex has similar contracts for delivery to Memphis. Both need their planes to fly on time, and running out of JetA isn’t something they want to hear about. The wholesaler has to go into the spot market and buy someone else’s excess, paying whatever they have to pay in order to get it.

But what’s going to happen when diesel supplies run low? Think about all the products distributed across this country by tractor-trailers that run on diesel. When their per-mile costs go up because of diesel prices going up in response to short supply, the cost of everything they transport goes up — right up until they run out of diesel. Then stuff doesn’t get delivered when and where it should.

All of this points back to the vulnerability of our energy supplies and delivery systems to cyber attack, and just how easy it would be for a determined foreign actor to do serious damage to an economy that runs on petroleum, and the necessity to move products in an efficient over-land transportation system.

An informed reader sent some interesting information via email. This reader worked on the tech side of the energy pipeline industry for a couple of decades.  The technical systems that are in place are largely state of the art, first of their kind systems specifically designed for the tasks they are being asked to perform.

The problem is the systems and components were designed in the 1970s.  The software has been updated, and new and better parts are provided by the OEMs to replace parts that wear out.  But the system’s design is pretty much the same as it was when it was revolutionary at the time of its creation.  There has never been an incentive to revisit and replace the design because of the costs involved.  The threats from hackers have long been more abstract than concrete.

But the modern world after the internet is now filled with “Black Hat” actors — both state-sponsored and otherwise.  The “Darkside” group that is said to be behind the Colonial Pipeline attack claims it is in this only for the money.  They gain access to computerized systems, encrypt the data so the system can’t be run as designed, and they demand payment of extortion in exchange for the encryption key to unlock the data.  Many companies pay because these groups are usually based abroad, law enforcement is of only minimal help, and the cost of refusing is far greater than the cost of buying the encryption key.

But what will happen when the Black Hats aren’t in it for the money?  Russia, China, and North Korea all operate cyber penetration groups to go after soft targets — including agencies of the US Government.

The US will remain vulnerable in a national security sense as long as we allow ourselves to be vulnerable.  If the Biden Administration is serious about spending money on truly necessary and needed infrastructure improvements, it should work with domestic industries that are vital to our national defense and upgrade the glaring deficiencies in our ability to defend our internal energy systems from foreign cyber attacks.