(Bloomberg) -- The U.S. company that just paid a $5 million ransom to East European hackers has been quietly making hundreds of millions of dollars a year providing a vital service with little competition and a safety record that has raised concerns.Colonial Pipeline, based in the Atlanta suburb of Alpharetta, Georgia, operates the largest fuel pipeline in the country, transporting more than 100 million gallons a day from Houston to New York City, half the region’s needs.While it began six decades ago as a proud joint project of big oil companies -- the U.S. commerce secretary was present for the 1962 groundbreaking -- today it’s mostly owned by an arm of Koch Industries and several Wall Street investors, and is run as much like a financial asset as a major piece of infrastructure.Over the past decade, Colonial has distributed nearly all its profits, sometimes more, in the form of dividends. In 2018, for example, it paid nearly $670 million to its owners, even more than the $467 million net income. Last year, it returned to investors over 90% of its $421.6 million in profits.It’s an approach that’s made plenty of money for its owners. Last year’s $421 million in net income was a gain of nearly 32 cents for every dollar of revenue. Investors are getting an annual return of about 10%.Meanwhile, its aging pipelines have suffered a series of accidents. Last August, a segment of a conduit was interrupted for almost a week after more than 28,000 barrels of gasoline spilled for days in a North Carolina nature preserve, discovered by two teenagers riding all-terrain vehicles.That was caused by a failure in a sleeve repair installed 16 years earlier. In March, a federal regulator said similar threats exist throughout the system and the continued operation without corrective measures “would pose a pipeline integrity risk to public safety, property, or the environment.”Three other spills due to cracks have been reported since 2015. In September 2016, a line was shut for 12 days, cutting supplies to millions of customers. Two months later, a fatal blast nearby led to another interruption.“Colonial’s inability to effectively detect and respond to such releases has potentially exacerbated the impacts of numerous releases over the operational history of Colonial’s entire pipeline system,” Pipeline and Hazardous Materials Safety Administration said in a notice of proposed safety order sent to Colonial Chief Executive Officer Joseph Blount.Colonial Pipeline disagrees with those statements, is working with the regulator to more fully address any concerns and began to implement lessons from the incident almost immediately after it occurred, a company spokesperson said in an emailed response to questions. “While one gallon released to our right of way is one too many, our safety culture is focused on zero operational events,” the company said.Some have also accused Colonial, like much of the rest of the industry, of insufficient attention to cybersecurity. Matias Katz, founder of the cybersecurity firm Byos, estimates that less than 25% of the U.S. oil and gas industry has adequate cybersecurity in place.In a response to questions, Colonial said it has increased overall spending on information technology by 50% since 2017, when a new chief information officer was appointed. Colonial uses more than 20 different and overlapping cybersecurity tools to monitor and defend the company’s networks, and its third-party investigator “has acknowledged many of the best practices we had in place prior to the incident,” it said in a statement.Colonial Pipeline’s capacity has increased marginally since the early 2000s yet reliance on it has grown markedly as refineries along the East Coast have shut down due to competition from shale sources in Texas and North Dakota.Read More: How a Key U.S. Pipeline Got Knocked Out by Hackers: QuickTakeFuel makers in New Jersey and Pennsylvania depend on pricier oil from Europe and West Africa, or domestic crude shipped on trains or on U.S. flagged-tankers, both expensive propositions. In 2019, Philadelphia Energy Solutions Inc., the largest refining complex on the East Coast, shut after a gasoline-making unit was almost destroyed by an explosion and fire.“The pipeline is 60 years old, but its importance has only increased as Mid-Atlantic refining capacity has decreased, and historically operating refineries in Virginia, Pennsylvania and New Jersey have shut down,” said James Lucier at Capital Alpha Partners LLC, a Washington-based consultant.Tougher regulation and fierce opposition from environmental activists have made it increasingly costly and more complex for companies to pursue major pipeline projects, according to Alan Gelder, vice president of refining and oil markets at Wood Mackenzie, a consulting firm. In January, President Joe Biden blocked the $9 billion Keystone XL project. Even during the Trump administration, energy companies such as Williams Cos. and Dominion Energy Inc. were forced to scrap major pipeline projects.“Building pipelines is complicated,” says Gelder. “Shareholders would be very careful about capital investments.”If in the 1960s, pipelines made clear economic sense in a country rapidly expanding its industrial economy, in 2021, with demand flattening and gasoline-burning cars being gradually replaced by electric ones, it’s become much harder to make the case for massive investment in fossil fuel infrastructure.“Colonial continues to actively explore growth opportunities, which are subject to confidential protections,” the company said. “Refined product consumption in the United States has remained relatively flat, but our commercial affairs team is constantly evaluating expansion opportunities to meet shipper and market demand.”The reliance on Colonial Pipeline is also a result of regulation like the 1920’s Jones Act, a federal law that requires goods shipped between U.S. ports to be transported on vessels that are built, owned, and operated by U.S. citizens or permanent residents. The limited number of vessels that meet the criteria makes it extremely expensive for refiners to get oil supplies from the Gulf of Mexico by sea.“Is this the way it’s supposed to be? I would say ‘no’,” Gelder said. “I don’t think U.S. energy infrastructure has ever had a particular plan.”It didn’t start out this way.In 1961, nine energy behemoths including Texaco, Phillips Petroleum, Continental Oil and Mobil joined to build what was then the country’s largest-ever privately-funded construction project. The pipeline costing $370 million (about $3.3 billion today) would allow them to haul gasoline and other fuels from Houston to New York Harbor and points in-between. Colonial was operating fully by 1964.After making massive investments that more than doubled the system’s capacity over the 1970s and 1980s, the oil majors that held and ran the pipeline eventually sold their stakes as depressed oil prices through the end of the century forced them to shed assets and combine operations.The pipeline’s ownership profile then began to change completely. Today, a unit of Royal Dutch Shell PLC is the only oil major among the five firms which split the control of the pipeline.A unit of the industrial conglomerate owned by billionaires Charles and David Koch emerged as Colonial’s largest shareholder after acquiring BP Plc’s and Marathon Oil Corp.’s interests from 2002 onward. A joint venture between private equity firm Kohlberg, Kravis Roberts & Co. and South Korea’s state-run National Pension Service bought Chevron Corp.’s stake in 2010. A year later, Caisse de dépôt et placement du Québec, a Canadian fund manager, bought out ConocoPhillips. IFM Investors, an investment firm owned by Australian pension funds, holds a stake since 2007.Private equity firms and pension funds are attracted to pipelines because they are natural monopolies and typically provide steady income streams even during economic downturns. Investors led by EIG Global Energy Partners LLC last month paid $12.4 billion for a stake in Saudi Aramco’s pipeline proceeds.Although simply known as the Colonial pipeline, it’s in reality a network of several pipelines, running in parallel, and extending in branches across the Southeast and East Coast. Measuring all the parallel lines and branches, it reaches 5,500 miles. The main two pipelines, known as Line 1 and Line 2, go from Houston to Greensboro, North Carolina. From there, two smaller pipelines, known as Line 3 and Line 4, extends to Linden, New Jersey. The pipeline has a capacity for about 2.5 million barrels a day -- more than the total oil consumption of Germany.Tom Garrubba, chief information security officer at Shared Assessments, said the oil industry “just wasn’t sexy” enough for hackers to go after historically. But the rise of ransomware as a billion-dollar business has made it more attractive to go after other vulnerable industries like energy.“This is very big black eye,” Garrubba said. “It’s going to start inviting other threat actors to be copycats. That’s what my concern is.”For more articles like this, please visit us at bloomberg.comSubscribe now to stay ahead with the most trusted business news source.©2021 Bloomberg L.P.