Cyberattack on Colonial Pipeline affected gas prices far less than initially reported, study finds

Thu, 12/16/2021

Jon Niccum

A gas pump at the Sunoco gas station in Oak Hill, Virginia, remains out of service due to panic buying after the May 2021 Colonial Pipeline cyberattack. Credit: Wikimedia Commons.

LAWRENCE — In May, the Colonial Pipeline was shut down due to a ransomware attack by Russia-linked cybercriminals. As the largest fuel pipeline in the U.S., its six-day stoppage led to fuel shortages and price increases.

But how much the shutdown actually affected these outcomes is the subject of a new article titled “The Effect of the Colonial Pipeline Shutdown on Gasoline Prices.” It’s published in Economics Letters.

Tsvetan Tsvetanov, University of Kansas associate professor of economics “We found the resulting increase in gas prices to be far less than the media initially reported,” said Tsvetan Tsvetanov, associate professor of economics at the University of Kansas.

“When looking at the six days from the closure to its reopening, there’s barely any price effect until the very end of this period. What we really saw was delayed and persistent impacts. So when we read in the news how the problem had been solved and the pipeline’s being reopened, that’s actually when we truly began to feel the effect of this.”

His article, co-written with KU doctoral student Srishti Slaria, uses daily regular gasoline price data at the city level and employs a difference-in-differences approach to address potential demand-side confounding factors. While in May, fuel prices spiked to levels that were the highest in seven years, Tsvetanov discovered the Colonial Pipeline incident only led to a 4-cents-per-gallon increase in average gasoline prices in affected areas.

Launched in 1963, the 5,550-mile pipeline is the nation’s largest for refined oil products. Its two tubes can carry 3 million barrels of fuel per day between Texas and New York.

“That’s basically the bulk of the supply of fuel for the East Coast and the Southeast,” Tsvetanov said. “Some of these 18 states have local refineries. Some can rely on imports. If they have the river or seaports, they can access that. But mostly it’s the Colonial Pipeline they rely on.”

In May, just prior to the attack, dependence on oil products was escalating.

“At the time, we were seemingly coming out of the pandemic situation,” he said. “The economy was growing, more jobs were being created. Those were all demand-side factors that were pushing gas prices up. So the trick is, how do you parse out what would have been happening regardless from the fact of the pipeline shock?”

Adding to the motivation behind this work was the “inelastic” nature of gas consumption in the U.S.

“Inelastic demand means that the demand for a particular good is not going to change much even as the price goes up,” Tsvetanov said.

“We do need gasoline, we need to drive to work, we need to consume a certain amount no matter what. We’re going to be spending that money. We’re not going to adjust our consumption even if gas prices go up. So when prices do go up, they hurt our consumption of other goods because we’re still consuming the same amount of gas. But there is less income left to spend on all these other goods and services.”

A native of Bulgaria who was raised in India, Tsvetanov is now in his seventh year at KU. He studies energy and environmental economics, specifically how individual household choices factor into energy efficiency and renewable resources. This is his first foray into economic research involving a cybercrime.

“Highlighting the threat of cyberattacks in the future is becoming more of a common topic,” he said. “This is one of those things where the more we see it, the more it perpetuates itself because criminals learn that they can do it and get away with it. It will be a race on both sides — a race to improve protection against it and then to get even better at cracking those new defenses.”

The Colonial Pipeline breach was the result of a single compromised password. Colonial paid the hackers (a group known as DarkSide) a $4.4 million ransom in Bitcoin days after their demand. But in June, the Justice Department recovered $2.3 million in cryptocurrency ransom. The hackers have not been caught.

What has been done to prevent future cyberattacks?

“The Department of Energy has requested an increase in their funding in their budget for 2022 for that specific purpose — to try to fix whatever it is to make their systems a little less vulnerable,” he said.

Ultimately, Tsvetanov is optimistic his Colonial Pipeline article can help raise awareness about how cybersecurity intersects with economics, especially in the energy sector.

“The hope is that any time you publish a short paper, it actually inspires more people to look into your topic. I’d be happy to see even more analysis, longer papers, different analysis setups that dig a bit deeper into this to enrich our results,” Tsvetanov said. “This is just the starting point.”

Top photo: A gas pump at the Sunoco gas station in Oak Hill, Virginia, remains out of service due to panic buying after the May 2021 Colonial Pipeline cyberattack. Credit: Wikimedia Commons.