In a public statement, the White House detailed some of the steps being taken to speed up gas deliveries while Colonial Pipeline technicians restart things after a criminal “ransomware”-styled cyberattack. The Department of Transportation is allowing fuel companies to transport overweight loads on interstate highways in 10 states. The Environmental Protection Agency is granting emergency fuel waivers suspending gasoline blending rules. A move to temporarily waive Jones Act requirements, thus allowing foreign-flagged, foreign-crewed oil tankers to transport fuel from the Gulf Coast to Atlantic states is also being contemplated. Across the affected states, governors are also taking emergency measures—though some moves, like Georgia Gov. Brian Kemp’s order temporarily suspending state gas taxes so as to knock prices back down, are perhaps of less value than others.
Again: It’s not supply problems causing the current problems. It’s neighborhood panic buying that’s draining local gas stations dry in places like Georgia, the Carolinas, and Virginia. Your corner gas station gets the gasoline it sells you from scheduled, regular deliveries: If consumers are suddenly making a run on each station so as to beat a perceived future “crisis,” there’s simply not going to be enough delivery trucks available to keep those tanks full.
As for the cyberattack itself, even the criminal gang responsible for the breach of Colonial’s systems seems alarmed and embarrassed by the level of chaos their attack has caused. (This is at least a decent public relations move on the part of the gang, now that they realize that even slightly interfering with the United States of America’s domestic fuel supply is something U.S. governments regularly respond to by ordering airstrikes on the attackers and leaving it to others to sort out which bodies are which.) While Colonial wipes and reinstalls computer systems throughout their company to erase the ransomware and get operations back to normal, the episode is a grim warning that an intentional state-sponsored attack on American fuel pipelines, power plants, and other critical infrastructure is both a very real danger and is likely to be devastatingly effective.
The United States has been sluggish, at best, in hardening critical infrastructure to defend against such attacks, and pipeline security is especially lax considering the nationwide chaos that could result from a breach that not just encrypted pipeline systems, but attempted to do real structural damage to the physical pumping operations themselves. Instead, the United States has relied on a generally unstated capability for mutual destruction—while domestic infrastructure can hardly be considered hardened against cyberattacks, the U.S. is equally capable of mounting such international attacks itself.
So far, though, it appears that Colonial may have dropped the security ball on this one, and for the same reason that Texas power generators found themselves frozen up and nonfunctional during that state’s power emergency: There’s no profit to be had in planning for rare emergency situations, so many companies don’t bother unless they are forced by government regulation to do so. There will likely be new regulations written after this requiring pipeline operators to better secure communications and control systems, and those regulations will likely be fought tooth and nail, used as examples of “government overreach” that harms the private sector by stripping companies of their power to decide for themselves whether or not they want their systems held for ransom by one of the most-known criminal cyberattack schemes on the planet. To prepare for that future debate, it might be wise to start hoarding ibuprofen.