 Yeah, welcome back to think tech. I'm Jay Fardial. We're talking about energy in America today more specifically. We're talking about the attack on the colonial pipeline. And this is pretty serious business. And we have serious business we call on Max. Max P easier. He's a researcher for E print in Washington DC and he joins us from there. Hi, Max. Thank you for joining us today. Thank you, Jay. It's always great to have a lively conversation with you about topics of immediate interest. Well, the colonial pipeline is really interesting in the sense that it, it opens up possibilities and risks, maybe it reveals things that we weren't really thinking about, you know, in terms of the national conversation. So this is a teaching experience, even though it seems to have been resolved, at least for now. So can you talk about what happened here. And what, and what's the significance of this pipeline is. Well, in the context of the colonial pipeline, things began happening on Friday, May 7. You had a complete shutdown of the system. The announcements were terse, but you had a complete shutdown of the system, because it was announced that one of the colonial systems it corporate it systems was the target of ransomware. As a precaution, the whole system was taken down by the company to make sure that none of the other controlling systems. The control infrastructure across the whole expanse of the pipeline. They were also disabled. So you could do a full check on every every system. The significance of the colonial system is that you have geographical mismatches across the United States. I don't know how it, how this is is experienced in Hawaii, but you have a bounty of resources in one area, and you have a lack in another, and you have to mitigate the you have consuming centers you have producing One of the more efficient ways of doing that is via pipeline. So you have patrol, a cruel production, cruel imports, refining, at least half of all of that located right along the US Gulf Coast. On the east coast, you have the huge population center from Atlanta all the way up to New York City, points further north Rochester, Boston, whatever. Beginning in the late 1930s it was recognized that possibly a more efficient way than than than cargo ships, tanker ships it would be more efficient to move things via product pipeline. So you had one of the first pipelines is set up in 1938. With the war, you still had lots of tankers moving from the Gulf Coast to the East Coast but you had all of these German submarines attacking product tankers you had a shortage in the East Coast, as you were preparing for the preparing the war effort. And certain smart people within the the FDR administration saw to building some of the first product pipeline. The colonial part of the WPA, the effort that he made to resurrect the economy in the late 30s. The first one, the plantation one in 1938 was that that's now operated by an entity known as Kinder Morden. By the beginning of the 19 late 19, by the end of the late 1950s is, you know, seeing that there's going to be a surge in requirements for fuel. If you don't have the refineries on the East Coast you have terminal. How do we get the fuel from Texas to the East Coast in a more efficient way. So, at beginning in 1961 and completed in 1964. The colonial pipeline was built, originating in Houston and going all the way up to New York Harbor with furs that came out at various points. North Raleigh Durham, North Carolina, Philadelphia, et cetera, it goes all the way up to New York Harbor. You know, when you think about pipeline like that going through a city. That's a big project you got to take a whole all the way through the city. You have other kinds of infrastructure that same part of the city, you know, sewer, you know, electrical cables telecommunications cables, whatever it is and you really have a job ahead of you but you would tell me before the show that in those days you were able to build a pipeline a great distance, very quick time. And life was different then. Yeah, can you talk about that. Right. And well, you know, the pipeline that I cited that was built in the middle of the war as known as the ancient big inch. Now it's built within within a year and a half. The colonial project was considerably larger. It's a it's a braid let's think of it as a braid running from Houston two different pipelines one primarily gasoline the other one primarily diesel and jet fuel. I mean, you're on the cusp of a huge expansionary period in the history of the United States. We were the beneficiaries of commercials every Sunday evening on the bonanza to the USA and the Chevrolet. So somehow to get fuel in that Chevrolet you needed gasoline. And the pipelines that I'm sorry, a refineries in the East Coast that produce gasoline, you need a lot more to get in that Chevrolet to go across the United States or just, you know, wherever it is going on. So, governments that that the permitting the the easements that were required. All of that was in a much. I can't think of the right term but it was permitting wasn't as constricted or as challenged as it is in the current moment. Also, in those days you didn't have activist opposition the way you do now, especially about pipelines. Right Ralph Nader was only beginning his career with the Corps of Air. And he didn't find a whole bunch of Ralph Nader one of these and pipelines weren't weren't weren't the target at that time. In the current moment pipelines are. Every pipeline every pipeline development is a struggle. But I don't know if I sufficiently answered your question. Let's talk about the operational aspects of the colonial pipeline which which led into its vulnerability for this attack. Okay. Great question great great great topic. As time marches on and I hate to say time really does march on. And where you had operators along the, the length of the pipeline. Somebody with a phone and sitting there at a compression station, something like that. That is the limit has been eliminated in favor of all of these systems are now more and more computerized and they're computerized, not just by a private network into a private network. It connects into the internet. And with this big witty of so many connected devices. You have a central location that monitors all these things. But if you're not vigilant for all the malevolent and malicious activity that takes place on the internet. You can be compromised very much in the way that the colonial pipeline was compromised over the last five days. Why do you need these stations and internet connections anyway. Why don't you just put the oil through the pipe and let it come out the other side why don't why why do I need digital technology for that. In the case in the case of the colonial it's not a crude oil pipeline it's a product pipeline. And there's a nuance to these things I mean, you're not just putting one type of stuff through it. A product pipeline is an ingenious development. You know, we really, whoever did thought of this where we should commend them highly, but it, you know, consider it. You're moving fuels and you're moving a lot of different fuels through just one system to one threat. How do you do it. Well, you put a certain kind of gasoline in the pipeline, and you have to push it. Well, maybe not everybody wants this 5 million barrels of gasoline. We also need to move diesel. So you use diesel to push the gasoline. And there's the two, two things mix and you have to be able to identify and extract that that's called a transmix transportation mixture. If you're moving two different kinds of gasoline, a higher octane and a lower octane. You have to identify the lower grade component and know what to do with it. And that's that's, that's where the complications come in and something like a computerized system. Create certain efficiencies, you know, you can have the operator there sit it, you know, some sort of a wheel and make adjustments to the to the pipeline, but they can have a bad day they can go out and get a bad tuna fish sandwich and that that that'll just disrupt things whereas with the computer. If anything, if it makes mistakes, it'll be consistent mistakes if it make if it does everything right it'll be done consistent. And that's the advantage that's seen in a computerized network. So if I if I take it offline. If I terminate the, you know, the digital technology, the computer functionality on this pipe that separates the shipments transfers of different kinds of product. What happens. We have care. Well, I mean, there was a perfect storm of that as we have California we have Texas and now we have what's going on in south, south eastern part of the United States. There are enough announcements. People became concerned they didn't trust some of these people said well we'll be back in a few days, you had panic buying and just the photographs that show up on Twitter are pretty astonishing as far as how much hoarding that to place by some people. So you had panic buying is so constantly in the state of in in Atlanta 50% of the filling stations don't have any gasoline. You have this going all the way up from state of Georgia to southern New Jersey. Right now 1% of this the filling stations in New Jersey don't have a guy gasoline, but you start going points further south. It goes to 2050 data Virginia 60% of the filling stations on any gasoline. And that's what happened over the last five days. A lot of that is attributed to I'm sorry, a lot of that is attributed to the to the panic to the hoarding. But it also shows you the the vulnerability on such a large system and what could possibly jeopardize one small thing is to say like a butterfly in a cloud causes a rainstorm a thunderstorm of huge magnitude in Argentina. So something like this, some entrepreneurial hackers just wanting to extort some money suddenly created a huge mess that affected an area of about 100 million people. And that is remarkable you know it reminds me to dwell a moment on this it reminds me of the Northeast Carter back in the 70s Spencer Abram was the secretary of energy at the time. And it went down the grid went down. And so you had, you know, again 100 million people all without electricity because all the grid, all the grids were connected. And they were down. And so he was he was on the media you know they said how could you let this happen. And he said let me explain. Let me pay attention to the infrastructure. It doesn't last forever, it fails. And in this case, you know the country built the infrastructure. I don't know the 50s maybe. And it was getting old and it failed. What can you do if you don't renew it. I'm wondering here if this could have been hard and you know, they say that the, you know, the Texas grid system could have been built better. And it could have been interconnected and so forth. And if money had been put in they didn't want to do it but if money had been put in to to building that system better and harder. Their recent debacle would not have happened. Can you say the same thing about colonial pipeline. Could they have avoided this in some way by, you know, putting in more modern infrastructure and that would include electronics. Right. I think so. Yeah, without knowing all the details of the events that have taken place over the last five days. Certainly, it's the the internet. Corporate the computers have systems, both at the corporate level and at the operational level. I had our genius. Do you have many different system administrators. Some of these system administrators, they're true virtuoso. They, they, they, I, you know, having been an IT myself and work over some of these people shoulders and watch. Yeah, they, they continually refine their knowledge they continually work to better understand what capabilities of the system are what what are the new threats. There are others that take that are not as focused, let's say, to be generous. So it's it's, I think in this case there was a weak link and corporate system, perhaps at the executive level was compromised. Certain data was acquired, because understanding how how these hackers work that Tom assuming that's how it was done. That was where the vulnerability was and whoever was managing that one particular system across the whole colonial network. And I think that was the Achilles heel. Leave it to the Greeks to give us a great metaphor for what took place. Well, so in this case, what happens is they they received a ransom demand. And at least at some management level, somebody decided hey wait, we are we are not going to be flat footed on this or at least we're going to minimize our damage here. So we'll turn it all off. We're going to turn everything off and and check out. Can you talk about that how that happened. Well, you know, it's it's an intrusion into a system somebody comes into your house. You don't know if they just stayed in the kitchen or if they went into every room. I think that that's what the precaution was that was taken by by colonial, and that's a tribute to that that's a tribute to the system administration understood the level of threat. It's not just one system that that might have been affected it might be a company wide in every, every division of that exists across the board. And it's like the metaphor is they could still be in the house, ready to ready to do more, you know, still inside the system, ready to go to step two and three and four and really make a wreck out of it. Right, absolutely. So I mean, so in that way it's, you know, once you, once you're you've compromised the networking you're in the network itself. Every network that you touch makes it appear that it's only the person from the compromised position, not from outside of the network. So it looks like the actor is within the system not outside of the system. And that that's what you want to do to diagnose and prevent. Now you said that there was some jurisdictional issues around what happened and the response to it what were the jurisdictional issues. They obviously we have regulatory authorities, those regulatory authorities have jurisdiction over certain kinds of things. We have the Federal Energy Regulatory Commission that has jurisdiction over the natural gas pipeline and over the electrical system, but they have no jurisdiction over the product pipeline. Colonial being a product pipeline is not under their, their oversight, FERC, the Federal Energy Regulatory Commission is particularly vigilant and particularly they're not. They're very good at enforcement. If they see a flaw, they'll let you know right away. And the enforcement, the jurisdiction for the product pipelines comes out of the Department of Transportation. There is an agency that has a difficult acronym, PHMSA pipeline hazardous materials safety agency, and they have jurisdiction over the product pipeline. And where you have an established set of standards for the natural gas pipelines, you have something like management by suggestion, or, or regulation by suggestion for the product pipeline. You have one more division within the Department of Transportation that makes recommendations as to what the product pipeline operators should do. And some say, you have to, they just say, well, maybe you should try this to make it work. And there's no enforcement authority. So, in this current case, it's hard to say whether there should be stronger enforcement. But if anything it exposes that there's a lack of uniformity. And that takes us to the whole notion of security is this kind of attack hasn't happened on an infrastructure of this magnitude before. I mean, I'll be worried about it but here it is we facing a new reality. And so let's assume that it was a state actor who could get this together. Why does Russia come to mind. Or maybe other countries but it's a state actor sounds like. And so we have to be prepared for this to happen again other attempts or attacks will follow and be possible. So how do you deal with this now do we need what we need in order to, you know, beef up our systems and minimize the risk of another attack. Yeah, obviously, we need efficiency. You need some centralization in the authority. You need some efficiency in the Sorry, sometimes there's just lack of a word in the delegation of information. You need coherent standards you need to update those standards consistent. You need to be able to broadcast the threat across a wide group consistently. Something that hasn't happened in this code right now, where you had so many different messages that so many different points of time, where am I don't wear a mask. In this case, it's the same sort of things for at least with the product pipeline. I mean there's somebody has taken a look at this. Right, seems to me, we can't afford to have this on a regular basis. And we certainly have to minimize the risk going forward. Let's look at the damage. In this case, luckily, you know they acted preemptively by turning the system off could have been worse. Yes. So let's look at your slides yet some slides I wonder we could flip through them and learn from that map of the United States, a lot of colored lines. The colonial pipeline is shown in a much broader blue and there's an arrow emphasizing the direction of flow. critically it's it's a huge pipeline in terms of capacity can move. Three million up to three million barrels per day of product. Just to give you context, the East Coast. All the states say, West of the Appalachian from Florida up to Maine. That whole area consumes about 6 million barrels per day of product. So, half of that comes out of the US Gulf Coast along colonial. Some of the other lines that you see there are the other product pipeline that that service other regions of the United States. If this went on for an extended period of time, some of those the capacity and those pipelines might be leveraged, depending on what's available. So you could reroute product to those other system. But colonial is the big dog. Just just a curiosity if I went on that line, and I looked at physically at the pipe which would be buried or, you know, in a remote area and and protected in some way. How big would the pipe be what's the diameter of a pipe in this pipeline. I think it's about 30 inches. Okay, that's enough to, if it runs continuously that's enough to service 100 million consumers. Exactly. And the map that you saw was something that created the lines themselves aren't particularly distinct and that's with intention. The source of the information is the US government, and especially with the product pipelines, they want to blur exactly where they overlap on on the map. The same thing we tell the communications landing areas you don't want to tell the public where it is because you're asking for sabotage and pipeline is a great target for sabotage just as this was. Can we go to the next slide. Yeah, this slide simply enumerates the events and some of the possible. Precaution. One point that I think I make here is is that if, if say this this extended for another week or another two weeks or maybe went out for a month, you would have the experience that took place in Texas with Hurricane Harvey and I think it's a fairly stability setting in but I think this was August 2017. 20, and would be all these secondary effects. We're talking about hospitals people are who absolutely require the gas for one thing or another. You can you can make a list that'd be as long as you're on. Right, but, but one question flows from that is, so they got it back together again. Today, I think they got it back together. And that means they went through the system they wanted to make sure that there was nothing else lurking in there and they knew the scope of the problem, and then they turned on the computers again and effectively rebooted the electronic. And, and, and started the physical aspect of the pipeline, pushing product through the pipeline. And just to give you a context of how fast things go. If I can tell this to you anecdotally, we visited a one pipeline operator in the middle of Pennsylvania. And he says, you know, if I put the jet fuel in here and it goes up to Rochester and I start walking today. Now be up in Rochester in about a week. I'll be in Rochester just about the time that the jet fuel that I've injected into the pipeline here. So, to get to put it in more formal parameters. It's relatively slow. It's five miles per hour. So it's, you're pushing a huge mass. And it takes a considerable amount of time to get stuff from Texas at five miles an hour into New York. So all these states in the south, the, you know, and suffer a lack of gas for their gas stations and other facilities. They're not going to see full capacity for at least a few days. Absolutely. But at least they know it's coming. Yeah, hopefully it'll take the edge off the panic, because the panic really. I mean, just saying some of this. The lines are reminiscent of the 70s. 7074 and 79. And just some of the crazy scenes. There was a picture of an S, a couple with an SUV, a huge SUV, and they had all these red plastic gasoline containers. And they were filling them up and stacking them in the trunk component of part of the SUV. Just the, you know, I mean, it's more gasoline than you'll, you'll probably ever need for the next month and a half. It's just hoarding. It's hoarding and maybe it's capitalizing on the problem, you know, and maybe reselling it to people who didn't have any gas. That's really awful. Right. But that's what happens in a panic. You can count on that. The same thing would happen with water. The same thing would happen with food actually. And therefore our infrastructure is so important. And I hope that this has some effect on Congress in terms of passing the infrastructure bill. I imagine there must be some money earmark to deal with this very kind of problem in that bill. Well, it's interesting that you say that because politicians don't meet, don't miss a crisis when it starts happening. You know, the finger pointing came out, but also this week, you already have hearings scheduled that are going to, especially on the Senate side that are going to broach this particular topic. Energy and public works environment and natural resources. They all, if it's not the main committee, it's the subcommittees that are draw attention to this particular issue. And one thing is, you know, you mentioned that this is a company that we, we know the name of the company. It's called dark side capital, the ARK capital SID, but we don't know who runs it or where it's from or exactly, you know, how we could, you know, identify and stop it. But query what do we know about this and what is the possibility of catching people who do this sort of thing, or can we just, you know, write off a solution and assume that there is no solution. And we just have to be defensive that the only move we can make is defensive. Well, your question raises a number of issues about this sort of thing. One is that these entities have gone after relatively considerably smaller and less visible targets, hospital systems. Lady Gaga's private information. Things of that nature. They've never hit a system of this particular scale. So by hitting a system of this particular scale that brings in the attention of entities like the FBI Department of Homeland Security. People have a vested interest in protecting the borders of the United States and the Constitution. So that, that was sort of a mistake on their part because they identified themselves so clearly. So they can do it. One thought would flow is that they really care about the ransom. That was a cover. They really cared about disrupting the country. Because let me let me just post it to you and see what you think, because they knew that this had to be made public. And certainly it was a public spectacular. And if it was made public, the public would not tolerate paying a ransom. I think that would be politically, you know, indefensible to actually pay the ransom. So I think, you know, a reasonable state actor at least would know that this this is not going to result in a, you know, in a ransom. At the same time, you know, good for the government or whoever made that decision good for colonial to say no, because if colonial had paid the ransom. Oh my goodness, don't you think we'd be having more of the same. Well, I'm not sure colonial didn't pay the ransom because given the way the, there was a press conference yesterday in the White House and two of the advisors to President Biden were up there one from one was a deputy national security the other lady. I think she was homeland. But the deputy national security advisor, when she was when the question was presented to her about advising on paying it not paying the ransom. They said, we don't make those kinds of recommendation. This is a commercial operation. It's up to them whether or not they want to pay the ransom. I find that a little peculiar that I mean, you know, this this this definitely arises to a level of criminality. I mean, I'm not just a misdemeanor. And yeah. So that sort of ambivalence stated at the executive level, I seem to send a message is something behind behind the scenes that I agree with you. Right. Ask about so we're out of time actually max but I know you have more slides maybe we can get to it in another show because maybe this will happen again but I only want to ask you one more question to close and that is you gave me some column anecdotes and one about a Latin American scenario. And I wonder if you could just tell that story and then we'll post. Okay, thank you. I don't want to disclose the company or or other. So I'm kind of masking some of these things but what is friends and those of a company that deals in industrial products. These are control systems on things like pipelines, and they sold them under license to a certain Latin American country that has petroleum interest. The petroleum interests are monitored and controlled by from the headquarters of this Midwestern company in their Midwestern city. Unfortunately, the Latin American country did not pay its monthly bill. And this is maybe going on eight or nine months. And finally the frustration of the company was such that they decided from that their own headquarters, they're going to shut down systems remotely several thousand miles to the south. Be as a signal to say, Listen, we would like to get our be compensated for the services that we've rendered and we're tired of waiting eight or nine months. I mean we do have our own bill. So, what that underscores is that the centrality and how much control over the internet, but the flip side of it is to is, if you compromise that that console operation in that Midwestern city. Then you have exposed, not just the Latin American country, but every network that these people have access to. It could be anywhere in the world. Exactly. Exactly. Yes. Well, that's, that's comforting Max. I don't, I don't really understand or not, but anywhere in the world where this this organization has operations that they can control. We're in a new time. It's every time you look to something happens that has never happened before. And, you know, it's all combination of events technology and the way the world works is the world is not only flats. It's sometimes upside down. Definitely upside down. Yes, I agree. Max, Max P easier of a break joining us from Washington, talking about the colonial pipeline, what happened and what the lessons are. Thank you so much, Max. Thank you, Jay. It's great to be with you to have this conversation.