As our world gets more and more connected, cybersecurity continues to bubble to the top as a major threat for oil and gas companies. With Colonial Pipeline combating a cybersecurity ransomware incident it’s hard to determine if this is a “sky is falling” incident or a follow-up to “crying wolf” as we’ve heard over the past few years. With technology usage increasing, the cyber threat to that technology also rises. So, how does the Colonial Pipeline cyberattack typify that?
For operations-based companies like Colonial Pipeline, these types of attacks can target more than just business systems like email servers. They have carefully designed and intricate systems that control pump stations, actuate electronic valves and constantly report temperatures and flow rates back to a hub pipeline management system. These operating systems are meant to be separate and safe from business systems, but every system has vulnerabilities.
If refineries feeding the Colonial Pipeline continue at their current rate of production, what’s the impact? Without the Colonial Pipeline to carry the raw and refined products, things begin to back up and fast. It’s been reported that two refineries on the Gulf Coast have already reduced fuel output due to the pipeline’s inability to move product. In addition, refineries are scrambling to secure barges and vessels to act as storage units for the production in the process. Leading up to the summer driving season, it will come faster.
How fast? Picture Lucy and Ethel in the iconic scene in “I Love Lucy” at the candy factory as they try to keep up with wrapping all that candy coming down the conveyor. The conveyor increases the flow, and they struggle to find places to put the candy, eventually shutting down the factory. The same is occurring with refineries in the Colonial Pipeline incident—except shutting down and restarting refineries isn’t simply a matter of turning off a switch and turning it back on.
Why Colonial & Why Now?
Media headlines reveal answers to the “Why Colonial?” question:
- 45% of the fuel consumed on the U.S. East Coast flows through the Colonial Pipeline.
- The pipeline flows through 17 states in the east and southeast.
- A shutdown of more than a few days will cause fuel prices to spike.
Highlighting the volume, the geographic importance, and the economic impact in one set of bullets covers the “why Colonial” question. But another question remains: why now?
One potential answer could be that the period prior to Memorial Day signals the beginning of summer and, with that, the reformulation of gasoline to handle driving in the summer weather. This means that blending operations and inventory operations are at a natural “shift” that relies on storage and pipeline capacity to swap out feedstocks and components for the summer driving season. With crude inventories still in decline, the summer demand could put a strain on gasoline inventories.
The backup is also prompting panic buying and fuel hoarding by consumers in the Southeast and East Coast, with gasoline prices rising well over $3/gallon. However, the U.S. Environmental Protection Agency (EPA) issued expanded waivers of summer fuel quality requirements of gasoline to parts of 12 states and the District of Columbia. The Department of Transportation also allowed the transport of overweight loads of fuel in 10 southeastern states to allow supply without the use of the pipeline network.
How Does This Impact Business Partners?
Cyberattacks don’t just impact a single organization. It’s one of the energy industry’s worst kept secrets that they’re behind the curve of digital transformation. Amid the pandemic almost every organization has “tightening the belt”, and in most cases that meant furloughs or layoffs. Combine a leaner organization with tools that may only be capable of supporting normal operations and the challenge becomes even greater.
The problem is multifold, and it starts (or ends, depending on your point-of-view) with the consumer.
- Gasoline & Diesel Demand
- From retail gas stations to industrial and commercial customers, demand can be ratable in a normal early summer season. Throw in the variable of more people returning to a daily commute as states ease pandemic-related restrictions along with the potential for panic buying based on the news cycle, getting the demand right can be a challenge. If an organization still uses back-of-the-napkin demand planning or simple two- to four-week historical forecasts they could be in for a real challenge. Even if demand planning is more sophisticated, it also needs to be integrated to the next level up the chain, supply planning, and scheduling.
- Supply Planning & Scheduling
- Knowing what demand needs to be met in a timely manner is a key part of supply planning and scheduling. If the supply group must wait for the demand input or has to “work” the data after receiving it to get a usable format, valuable time can be lost in key situations. And the supply group also needs to know up-to-date inventories, both in the tank and in transit, across a range of products. As recently as five to seven years ago, intra-day inventory tracking was a spreadsheet operation, making it very challenging to collaborate and share information across supply areas during an upset event. Organizations require the technology and processes to access up-to-date inventory data without relying on spreadsheets saved on network drives. This is true across the supply chain—from the source at refineries or primary supply locations to the lowest level (terminal or tank).
- These production centers are the source of supply. If there isn’t normal pipeline capacity to take away production, on-site storage will fill up quickly. That leaves two options—cut run rates to produce less, which is what we’ve seen, or find another transportation or storage solution. Both of those involve working with supply and trading organizations to share how much of what products will need to be moved when and where. In normal operations that may be a simple task that appears to have a low value, but disruptions do just that—disrupt the normal process. Digital transformation isn’t the only path to a robust process that can flex to operational changes, but it can play a huge role in making a lean workforce run effectively in atypical business conditions.
- Working closely with supply planning and refining, the trading organization needs to know where to focus its efforts. Where’s supply going to be unable to replenish in time and a spot purchase is needed? Does refining need floating storage or a product sale to keep from overrunning storage capacity and keep run rates up? Are run rates being reduced so an inbound crude purchase needs to be offloaded? A system-wide view of supply and demand along with the key price information (commodity, logistic, and derivative) is crucial to making decisions quickly as new information is released, and markets change.
The world today is interconnected, not just digitally but in the physical world as well. Companies need to put significant importance on both the ability to defend against cyberattacks and operational robustness to respond to disruptions caused by attacks on key business partners. The most recent Colonial Pipeline cyberattack incident can be used as a business case for those organizations that are only dipping their toes in digital transformation—how do potential operational cost impacts compare to the investment in the people, processes, and technology needed to run the business in distressed situations?
“Companies need to put significant importance on both the ability to defend against cyberattacks and operational robustness to respond to disruptions caused by attacks on key business partners.”
What Can Be Done To Prevent Such Cyberattacks?
While cyberattacks at the scale of the Colonial Pipeline incident are rare, the organizations perpetuating the attacks are getting more and more creative and sophisticated. With critical infrastructure such as pipelines, power generation systems, and water treatment plants at risk on a regular basis, plans must be put in place to mitigate risks at every level.
At a minimum, companies should:
- Isolate control networks such as supervisory control and data acquisition (SCADA) systems from the business networks. The business and operational control networks generally rely on each other but should be adequately separated from each other.
- Set users up with the least privilege-type accounts and access based on security needs. Often, companies will allow access to all for convenience, but this will create a larger impact when hacked.
In addition, these infrastructure companies may not have costly, dedicated security resources to monitor cyberattacks 24×7, but there’s no guarantee that a full-time security team could prevent all these attacks. The Colonial Pipeline cyberattack was initiated by an organized crime group seeking money; not necessarily seeking to disrupt the pipeline infrastructure.