HOUSTON (ICIS)–The cyberattack on Colonial
Pipeline represents another way that such
assaults can disrupt chemical operations, which
rely on pipelines for fuel and feedstocks.
Direct attacks have already hit chemical
companies. In October 2020, Brazilian
polyolefins producer Braskem declared force
majeure after a cyberattack. The force
majeure affected some clients in Brazil and
other parts of South America.
Earlier this year, a
ransomware attack struck Ultrapar, a Brazilian
conglomerate that owns the surfactants producer
Under ransomware attacks, criminals lock up
companies’ files or data until they get paid.
They may also threaten to publish stolen data.
On 7 May, Colonial
Pipeline shut down its refined-products
pipeline system to contain a ransomware attack,
the company said.
The Colonial system has 5,500 miles (8,800 km)
of pipeline connecting Houston to Linden, New
Jersey in the East Coast, according to the Energy
Information Administration (EIA). It can
ship 2.5m bbl/day of gasoline, diesel, heating
oil and jet fuel.
Colonial said on Wednesday that it has begun
The nature of the attack is an important point,
said Stephen Lilley, a partner in the law firm
Mayer Brown. Based on reports, the criminals
did not take down the pipeline. Instead, they
held data or files for ransom. Colonial took
steps to contain the data breach. The shutdown
of the pipelines was a consequence of those
The nature of the Colonial attack will help
determine any policies the government could
adopt to deter future ransomware attacks.
Chemical plants rely on
pipelines to keep their operations running.
They ship natural gas, which the industry uses
as a fuel and as a feedstock.
Pipelines also transport natural gas liquids
(NGLs) from processing plants to fractionators.
Fractionators separate the NGLs into ethane and
propane, which are then sent via pipeline to
crackers. Olefins from the crackers are shipped
to plants that convert them into plastics and
Back in 2020, the law firm Jones Walker
published the results of a cybersecurity survey
in the midstream industry.
Among those surveyed, 28% reported an attempted
data breach and 12% reported a successful one
during the 12 months that preceded the survey,
Jones Walker said. Regarding cyber-insurance
coverage, 74% lacked it.
Those responding to the survey flagged weak
points that leave them vulnerable to
Midstream companies rely on remote technologies
such as mobile and field-device management
systems as well as the Internet of Things
(IoT), which refers to a network of
Other findings include the following:
– Less than half conducted cyber-risk
assessments at least once a year.
– A quarter said they never conducted a
RESPONSE IN THE CHEMICAL
Pipeline disruptions are
nothing new for chemical companies in the US,
given their vulnerability to hurricanes and
tropical storms. They have protocols in place
to address these outages.
As far as cybersecurity is concerned, the
chemical industry is one of the few that fall
under government regulations, according to the
American Chemistry Council (ACC).
The Chemical Facility Anti-Terrorism Standards
(CFATS) was adopted in 2007 in the wake of the
terrorist attacks on 11 September 2001. CFATS
addresses cybersecurity, since breaches could
allow bad actors to obtain dangerous chemicals.
Since then, the industry has worked closely
with the Department of Homeland Security (DHS),
which administers CFATS under the Cybersecurity
and Infrastructure Security Agency (CISA).
Over the years, the chemical industry has
participated in Cyber
Storm, a cybersecurity exercise with the US
government, the ACC said.
The exercises have changed over the years to
anticipate the ever-evolving nature of
cyberattacks, the ACC said. One recent threat
is theft and diversion, under which criminals
hack into vendors to make illegal chemical
purchases appear legitimate.
The ACC also addresses cybersecurity through
Responsible Care, an
industry programme adopted by chemical
companies around the world.
ACC members have implemented the National
Institute of Standards and Technology (NIST)
cybersecurity framework in conjunction with the
Responsible Care Security and Process Safety
Sharing information about threats is another
tool that helps the industry deter attacks. To
encourage this, the ACC created a cybersecurity
information network within its Chemical
Information Technology Center (ChemITC).
any cyberattack, Lilley of Mayer Brown warned
against blaming the company for the assault.
“Unfortunately, there is a little bit of a
presumption that they must have done something
wrong to be compromised,” he said in an
interview with ICIS.
“These are companies that have been victimised
by criminal groups, often by exceptionally
sophisticated criminal groups or even by
nation-state actors,” Lilley said. “Any number
of incredibly sophisticated companies get
compromised every day despite having invested
large amounts of money in cybersecurity.”
Understanding the nature of Colonial attack and
the threat it poses to companies will be key to
determining whether additional regulations can
play a role in preventing future data breaches,
US lawmakers have confronted such questions
before. Back in 2012, Congress considered
imposing broad cybersecurity requirements on
critical infrastructure, Lilley said.
Congress rejected that approach and decided
that economic incentives, information-sharing
and voluntary frameworks make up the best way
to protect infrastructure from cyberattacks,
Lilley said. “I don’t see a lot of interest in
Congress in coming up with some broad sweeping
cybersecurity mandate across critical
That said, different types of infrastructure
have their own regulatory frameworks. CFATS
addresses sabotage against chemical plants.
Pipeline security falls under the
Transportation Security Administration (TSA),
another agency under the DHS. These
guidelines are voluntary and cover broader
issues such as reliability, safety and the
discussions are revolving around making
those guidelines mandatory.
But Lilley warned that policy makers first need
to identify the risk posed by Colonial attack
and specify what issue they want to solve
before deciding on whether regulations are the
best solution. A better way to deter future
attacks could be voluntary guidelines, economic
incentives, industry best practices or even
contracts between parties.
Insight by Al Greenwood