As the shutdown of Colonial Pipeline’s critical infrastructure stretches into a third day, oil and gas prices were shrugging off the prospect of a potential supply crunch. But it isn’t the risk of a gasoline shortage that is giving the industry the jitters.

For years, cybersecurity experts and the U.S. government have been warning the energy industry that it remains all too vulnerable to the kind of ransomware cyberattack that knocked Colonial offline over the weekend.

Those warnings, in fact, included an alert just last year—as the pandemic was spreading around the globe—about another, unnamed U.S. pipeline system affected by a ransomware attack. The U.S. Cybersecurity and Infrastructure Security Agency reported that a spear-phishing attack had gained access to the IT systems at a natural gas compression facility, unleashing ransomware internally that resulted in the company losing sight of some of its own systems. While it didn’t lose control of its operations, the company had to shut down its pipeline network for two days.

The alert highlighted warnings that the operator didn’t have in place a specific emergency plan to deal with cyberattacks and that it had gaps in its knowledge about how to manage them. The U.S. agency that investigated the attack said that it “encourages asset owner operators across all critical infrastructure sectors to review the…threat actor techniques and ensure the corresponding mitigations are applied.”

In other words: Get ready.

Russians suspected

It was a prescient warning. On May 10, a Russian network called DarkSide claimed responsibility for the attack on the pipeline—which runs from the Gulf Coast and provides 45% of the East Coast’s fuel supply—in an apparent effort to extort a ransom payment from the operator, Colonial Pipeline.

“It’s not often that hackers manage to hit such crucial oil infrastructure such as Colonial’s pipelines in the U.S.,” says Louise Dickson, oil markets analyst at Norway’s Rystad Energy consultancy.

Nonetheless, on May 10 morning, oil prices were feeling bearish, dragged down by the larger picture of flagging demand in Asia and India owing to the pandemic: Brent was down 1.11%, and WTI was down 1.28% on May 10 morning, while the main U.S. gasoline futures contract was down 0.51%.

Though it wouldn’t affect supplies if the pipeline isn’t back online for a few days, a more prolonged outage could lead to increased prices, Dickson notes. However, the real issue here isn’t a prospective supply shortage: The U.S. can draw from its ample inventories, as the Biden administration has loosened the rules to allow for fuel to be transported by road instead. The East Coast can also pull cargo of gasoline and diesel across the Atlantic from refineries in Europe.

The bigger risk is that the Colonial Pipeline outage is a mere warning shot. For years, experts and industry insiders have warned that the energy sector is underinvesting in cybersecurity given the scale and complexity of the attacks on its systems—multiple attacks, per day—much of it on critical infrastructure. Some energy majors have themselves admitted that managing the scale and sophistication of the attacks they see is a major challenge, and some of those attacks have been successful. Pemex, the Mexican state energy company, was hit by a high-profile attack in late 2019, when hackers demanded $5 million in Bitcoin as ransom.

Particularly vulnerable

Though such attacks have hit everything from hospital networks to the U.S. government, the energy industry is particularly vulnerable. In a 2020 article, McKinsey warned that utilities and gas companies were more at risk because of their complexity, with geographically diverse, overlapping networks of both physical and cyber infrastructure.

Siemens Energy warned last year that it was the intensity of the sector’s operational systems that also put it at risk: Operational digital infrastructure runs 24/7, with virtually no downtime.

There are also plenty of motives, McKinsey warned. They include state-backed, geopolitically motivated attacks—including a famous attack on a Saudi petrochemical facility that the Saudi government attributed to Iran; economically motivated attacks designed to extort money from desperate companies; and “hacktivist” attacks intended as a protest against the energy industry.

The worry now is that the Colonial Pipeline outage is just the beginning.