INSIGHT: Cyberattacks on pipelines pose threat to chemical plants

HOUSTON (ICIS)–The cyberattack on Colonial Pipeline represents another way that such assaults can disrupt chemical operations, which rely on pipelines for fuel and feedstocks.

Direct attacks have already hit chemical companies. In October 2020, Brazilian polyolefins producer Braskem declared force majeure after a cyberattack. The force majeure affected some clients in Brazil and other parts of South America.

Earlier this year, a ransomware attack struck Ultrapar, a Brazilian conglomerate that owns the surfactants producer Oxiteno.

Under ransomware attacks, criminals lock up companies’ files or data until they get paid. They may also threaten to publish stolen data.

OUTAGE
On 7 May, Colonial Pipeline shut down its refined-products pipeline system to contain a ransomware attack, the company said.

The Colonial system has 5,500 miles (8,800 km) of pipeline connecting Houston to Linden, New Jersey in the East Coast, according to the Energy Information Administration (EIA). It can ship 2.5m bbl/day of gasoline, diesel, heating oil and jet fuel.

Colonial said on Wednesday that it has begun restarting the pipeline.

The nature of the attack is an important point, said Stephen Lilley, a partner in the law firm Mayer Brown. Based on reports, the criminals did not take down the pipeline. Instead, they held data or files for ransom. Colonial took steps to contain the data breach. The shutdown of the pipelines was a consequence of those containment steps.

The nature of the Colonial attack will help determine any policies the government could adopt to deter future ransomware attacks.

PIPELINES AND CHEMICALS
Chemical plants rely on pipelines to keep their operations running. They ship natural gas, which the industry uses as a fuel and as a feedstock.

Pipelines also transport natural gas liquids (NGLs) from processing plants to fractionators. Fractionators separate the NGLs into ethane and propane, which are then sent via pipeline to crackers. Olefins from the crackers are shipped to plants that convert them into plastics and other derivatives.

Back in 2020, the law firm Jones Walker published the results of a cybersecurity survey in the midstream industry.

Among those surveyed, 28% reported an attempted data breach and 12% reported a successful one during the 12 months that preceded the survey, Jones Walker said. Regarding cyber-insurance coverage, 74% lacked it.

Those responding to the survey flagged weak points that leave them vulnerable to cyberattacks.

Midstream companies rely on remote technologies such as mobile and field-device management systems as well as the Internet of Things (IoT), which refers to a network of interconnected devices.

Other findings include the following:

– Less than half conducted cyber-risk assessments at least once a year.

– A quarter said they never conducted a cyber-risk assessment.

RESPONSE IN THE CHEMICAL INDUSTRY
Pipeline disruptions are nothing new for chemical companies in the US, given their vulnerability to hurricanes and tropical storms. They have protocols in place to address these outages.

As far as cybersecurity is concerned, the chemical industry is one of the few that fall under government regulations, according to the American Chemistry Council (ACC).

The Chemical Facility Anti-Terrorism Standards (CFATS) was adopted in 2007 in the wake of the terrorist attacks on 11 September 2001. CFATS addresses cybersecurity, since breaches could allow bad actors to obtain dangerous chemicals.

Since then, the industry has worked closely with the Department of Homeland Security (DHS), which administers CFATS under the Cybersecurity and Infrastructure Security Agency (CISA).

Over the years, the chemical industry has participated in Cyber Storm, a cybersecurity exercise with the US government, the ACC said.

The exercises have changed over the years to anticipate the ever-evolving nature of cyberattacks, the ACC said. One recent threat is theft and diversion, under which criminals hack into vendors to make illegal chemical purchases appear legitimate.

The ACC also addresses cybersecurity through Responsible Care, an industry programme adopted by chemical companies around the world.

ACC members have implemented the National Institute of Standards and Technology (NIST) cybersecurity framework in conjunction with the Responsible Care Security and Process Safety Codes.

Sharing information about threats is another tool that helps the industry deter attacks. To encourage this, the ACC created a cybersecurity information network within its Chemical Information Technology Center (ChemITC).

REGULATORY RESPONSE
For any cyberattack, Lilley of Mayer Brown warned against blaming the company for the assault.

“Unfortunately, there is a little bit of a presumption that they must have done something wrong to be compromised,” he said in an interview with ICIS.

“These are companies that have been victimised by criminal groups, often by exceptionally sophisticated criminal groups or even by nation-state actors,” Lilley said. “Any number of incredibly sophisticated companies get compromised every day despite having invested large amounts of money in cybersecurity.”

Understanding the nature of Colonial attack and the threat it poses to companies will be key to determining whether additional regulations can play a role in preventing future data breaches, Lilley said.

US lawmakers have confronted such questions before. Back in 2012, Congress considered imposing broad cybersecurity requirements on critical infrastructure, Lilley said.

Congress rejected that approach and decided that economic incentives, information-sharing and voluntary frameworks make up the best way to protect infrastructure from cyberattacks, Lilley said. “I don’t see a lot of interest in Congress in coming up with some broad sweeping cybersecurity mandate across critical infrastructure generally.”

That said, different types of infrastructure have their own regulatory frameworks. CFATS addresses sabotage against chemical plants.

Pipeline security falls under the Transportation Security Administration (TSA), another agency under the DHS. These guidelines are voluntary and cover broader issues such as reliability, safety and the environment.

Some discussions are revolving around making those guidelines mandatory.

But Lilley warned that policy makers first need to identify the risk posed by Colonial attack and specify what issue they want to solve before deciding on whether regulations are the best solution. A better way to deter future attacks could be voluntary guidelines, economic incentives, industry best practices or even contracts between parties.

Insight by Al Greenwood