Click here to go to the full PDF version of this issue, with any maps, photos or other artwork that appears in
some of the articles.
TAPS secure, but operator has close eye on Colonial Pipeline cyber attack
Alyeska Pipeline Service Co. maintains a state of readiness when it comes to cyberthreats.
Just like any other operating risk of running the 800-mile Trans Alaska Pipeline System, cyber risk is on the front burner 24/7 at Alyeska, according to Michelle Egan, Alyeska chief communications officer.
“We have a very comprehensive cybersecurity program here - it involves multiple layers of protection; we have an in-house cybersecurity team; we have a number of third-party experts and vendors that we work with; and we have very regular engagement with law enforcement agencies around this area - so that we’re aware of what is happening in the world of cyber security, Egan told Petroleum News in a May 11 interview.
The operator of TAPS is watching closely the situation at Colonial Pipeline Co. where a 5,500-mile fuel pipeline was shut down by a cyber-attack discovered May 7, choking off vital fossil fuel supplies to the U.S. East Coast.
Colonial is the largest pipeline system for refined oil products in the United States, capable of moving 3 million barrels of fuel per day between Texas and New York - 45% of the fuel consumed on the Eastern Seaboard between the Gulf Coast and the New York metro area.
The snafu, induced by Russia-based hackers, engendered lines of cars as panicked East Coast motorists binged on whatever fuel supplies could be found at the local gas station.
“As for this Colonial event, we are paying attention through trade associations; through government agencies; through law enforcement; to know what we can learn from this,” Egan said, adding, “I mean the continually evolving themes that our team works hard to stay on top of.”
Alyeska is poised to learn whatever it can learn from the breach, and any other real-world cybercrime that may plague pipelines and other critical infrastructure, Egan said.
“We learn things and change things because that’s part of this world of cybersecurity, it’s continually moving … a very dynamic area,” she said. “I can guarantee that we will be making changes, but our system is very comprehensive, and it has served us well.”
Asked about system redundancy, Egan said Alyeska has multiple layers of protection against cyber threats.
WaiversThe Biden Administration began what it called an “all of government” effort to address the pipeline interruption. It initiated a survey of Jones Act-qualified vessels to begin the process of evaluating what assets are available in the Jones Act fleet to carry petroleum products within the Gulf, and from the Gulf up the Eastern Seaboard, it said in a May 11 White House fact sheet.
The U.S. Maritime Administration was asked to determine if there is sufficient capacity on Jones Act-qualified vessels to carry needed fuel and to determine if a waiver is warranted, the White House said, adding, “Authority to receive requests for and to approve waivers to the Jones Act belongs to the Department of Homeland Security.”
The administration also issued a “targeted, one-week waiver” allowing multiple states to temporarily use noncompliant fuel to boost available supply. EPA Administrator Michael Reagan temporarily waived the federal Reid vapor pressure requirements for fuel sold in reformulated gasoline areas of District of Columbia, Maryland, Pennsylvania and Virginia. The waiver was later extended to a total of 12 affected states, and it was extended to May 31.
“The EPA stands ready to issue waivers for other affected states expeditiously whenever those requests are received,” the White House said.
The Department of Transportation issued a separate order allowing trucks to carry overweight loads of gasoline and other fuels on highways to move more supply to Colonial’s customers. It also issued a temporary hours of service exemption which applies to truckers transporting gasoline, diesel, jet fuel and other refined petroleum products to the region.
The DOT Federal Motor Carrier Safety Administration will work closely with its state and industry partners to monitor driver work hours and conditions for the duration of the exemption, DOT said.
Colonial said it had, “consistent with our safety policies and regulatory requirements,” increased aerial patrols of the pipeline right of way and that it had deployed more than 50 personnel to walk and drive the pipeline each day.
A ransomware group, DarkSide, demanded a cryptocurrency ransom valued at millions of dollars, according to several sources, CNN reported May 12.
But Colonial may not pay up, the report said. Working with U.S. government officials, Colonial has managed to retrieve the most important data that was stolen, according to a source.
“We would like to thank the White House for their leadership and collaboration in resolving this matter as well as the DOE, PHMSA, FERC and other federal agencies for their ongoing support,” Colonial said in a May 11 statement.
IBM’s new CEO Arvind Krishna suggested a NASA-style government investment is required to be able to tackle cybersecurity.
“When we talk about infrastructure, you talk about the Colonial Pipeline - that’s physical infrastructure; if the cyber side gets attacked, the physical is useless,” Krishna told First Move. “When we talk about infrastructure, we should make sure the cyber is on equal stage and equal footing with the physical.”
Krishna called for spending $100 billion on a public/private partnership to improve cyber resilience.
“Otherwise, we’ll be victim to these attacks again and again,” he said.
100% reliability in 2020Egan said Alyeska achieved 100% TAPS reliability in 2020.
“I think it’s important for people to know that we - everyone who works here at Alyeska understands how much the state of Alaska relies on us to be operate reliably, she said. “We understand how important that is and that’s why we have such a robust system.”
The first line of defense is people, Egan said.
“People who work here are very connected to TAPS itself, and take a lot of pride in its operation,” she said.
“We do have drills and exercises, much as we do for other risks such as oil spills,” she said. “We do test our system and then we also test our response, with drills and exercises.”
“We spend a lor of time in our company making sure that all of our employees and contractors are engaged in and educated about cybersecurity threat - the ones that you face at home, the ones that every business faces,” Egan said. “We also have a very active program in keeping our employees aware of what they can do to protect themselves, things like phishing and malware, etcetera.”
Alyeska said 2020 was the first time it had hit the 100% reliability level since 2003, but that the score is traditionally above 90%.
“The pipeline is operating reliably throughout this event with Colonial, and so is our business side of our house,” she said.
“When we end up in the upper 90s, it’s usually because of a planned shutdown, and the duration of that shutdown,” Egan said. “It’s typically not anything concerning, but some downtime that we planned for in order to get work done.”
Basically 100% reliability means “every barrel that we receive we deliver,” Egan said.
“To get down to the nuts and bolts of that and how we did that last year, we were able to make our maintenance shutdown several short ones, instead of longer ones,” she said. “While we might shut down for 12 hours, we use the tanks at Pump Station 1 to take in incoming crude and when that shutdown is over, we start moving oil again, so there’s really no impact on the downstream side.”