Long lines for gas and skyrocketing retail gas prices marked May 2021 as a memorable month for automobile owners. While gasoline shortages in the early 1970s were caused by an international oil embargo, this more recent supply shortfall resulted from a cyber ransomware attack on the Colonial Pipeline. Colonial Pipeline, the largest pipeline for transporting refined petroleum products in the United States, originates at refineries near Houston and extends some 5,500 miles to the New York City area. A hacker group known as DarkSide interrupted Colonial Pipeline’s access to its servers and demanded compensation.[1] The attack shut down Colonial Pipeline’s operations for approximately five days, causing localized shortages of gasoline, diesel fuel, and jet fuel.[2] Panic-buying became rampant across the southeastern United States as consumers feared gas would run out.[3]
Cyberthreats are becoming increasingly prevalent across all economic sectors, and they pose cascading national security risks for the energy industry. The Colonial Pipeline attack could have gone further. For instance, the infamous Russian NotPetya attack brought down most of Ukraine’s operating systems by infiltrating computers via a common accounting software mechanism and wiping information.[4] The NotPetya attack caused approximately $10 billion in damages spread across multiple international industries and crippled the country’s infrastructure.[5] Cyberattacks are increasingly utilized as a tactic in war for critical targets, as also seen in the numerous attacks on Ukraine’s energy infrastructure as an aspect of its current war with Russia.[6]
Following the high-profile Colonial Pipeline attack, federal and state governmental agencies undertook a series of actions to secure both the oil and gas pipeline networks and the electric grid. However, these complex components of critical infrastructure face continuing cybersecurity challenges.
The pipeline network was vulnerable to attack due to the government’s hands-off approach to cybersecurity, which left implementation largely up to private sector entities themselves.[7] The Transportation Security Administration (TSA) had suggested voluntary best practices standards to pipeline companies, but even physical security assessments had no enforcement capability.[8] In the electric sector, a Government Accountability Office report published just months before the Colonial Pipeline attack urged the Department of Energy (DOE) to address cybersecurity risks more strenuously, reflecting fears concerning vulnerabilities.[9]
This concern materialized in DarkSide’s ransomware attack, which was perpetrated by infiltrating Colonial Pipeline’s computer systems and encrypting billing files.[10] Colonial Pipeline controls nearly half of the gasoline, jet fuel, and diesel flowing along the East Coast.[11] Colonial Pipeline shut down its operational technology systems out of caution to halt further infection, but eventually paid the hackers $4.4 million in cryptocurrency to restore its operating systems.[12] Even after receiving the decryption key, it took days of work to restart the pipeline.[13] Federal authorities were eventually able to recover $2.3 million of the ransom.[14] Panic-buying by consumers depleted gasoline supplies at some service stations on the East Coast while also driving up retail gasoline prices.[15]
Alternatives to the pipeline, in the form of transporting fuel through trucks and tanker cars for trains, were slow to organize.[16] The Biden administration issued a temporary waiver for certain states to use noncompliant fuel to boost supply, and relaxed regulations covering transportation weight limits and personnel working hours.[17] This high-visibility incident led to widespread calls for remedial action as “every fragility was exposed.”[18] Whereas previous cybersecurity-focused action was based around presidential decrees, this event galvanized Congress and the Executive Branch into action. State regulators were also motivated to act due to the underlying dangers demonstrated by the Colonial Pipeline attack and the chaos it created, akin to a cybersecurity “Pearl Harbor” moment.[19] These responses included President Biden’s Executive Order 14,028 on Improving the Nation’s Cybersecurity, the Bipartisan Infrastructure Law, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, and the TSA/Department of Homeland Security (DHS) Cybersecurity Directive.
Within a week of the attack, President Biden published an executive order that had initially been drafted in response to an earlier ransomware attack called SolarWinds.[20] Executive Order 14,028 is aimed at improving the protection of supply chain security by removing information barriers between the government and the private sector, establishing a Cyber Safety Review Board, and creating a playbook for responding to cybersecurity vulnerabilities and incidents.[21] It is also directed at improving federal government and contractor security, such as creating an expectation for enhanced cybersecurity through vendor assessments.[22] The White House subsequently declared November 2022 as Critical Infrastructure Security and Resilience Month.[23] The White House also subsequently issued a memorandum entitled “What We Urge You to Do to Protect Against the Threat of Ransomware” that suggested voluntary guidelines for private entities to follow to guard against ransomware.[24]
The Bipartisan Infrastructure Law is far-ranging in terms of providing financial programs and grants.[25] It established a Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) program that focuses on owners and operators of rural, municipal, and small electric facilities.[26] The State and Local Cybersecurity Grant Program is designated as state funding that directly funds cyber risks and threats as well as eligible uses for cybersecurity. The State Energy Program focuses on energy security, initiatives, and affordability as well as research programs under DOE and DHS for cybersecurity. Importantly, it also established a Cyber Response and Recovery Fund for the Cybersecurity and Infrastructure Security Agency (CISA) to use after an attack. Finally, the Energy Sector Operational Support for Cyber Resilience Program enhances and tests the emergency response capabilities of DOE.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 builds on Presidential Policy Directive 21 through required reporting to CISA within seventy-two hours for “cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States” and within “24 hours for ransom payments” actually paid out by the private entity.[27] The final requirements are to be promulgated through rule-making under CISA.[28]
The TSA/DHS Cybersecurity Directive focuses on critical infrastructure with performance-based standards. CISA also released performance goals across sectors focused on preventing further cybersecurity incidents.[29] Agency responses in the oil pipeline realm consisted of the issuance of TSA’s binding directives SD-01 and SD-02. SD-01 is an information-sharing directive mandating production of reports concerning cybersecurity incidents to CISA, designation of a cybersecurity coordinator, and reporting any deviations from TSA’s cybersecurity recommendations. SD-02 sets forth TSA’s substantive cybersecurity recommendations and requires mitigation measures, contingency and response plans, and third-party audits of cybersecurity practices.[30] These emergency directions will only last a year before needing renewal.[31]
State responses to cybersecurity threats focused on analyzing emerging cyber threats to energy systems within their borders and improving their ability to respond to such threats. Approximately forty-six separate pieces of legislation were introduced regarding potential cybersecurity threats to energy infrastructure in 2021.[32] Utah and Colorado enacted legislation regarding state agency protection of critical infrastructure, and Utah created a Cybersecurity Commission to identify cybersecurity threats to the energy sector.[33] The New York Power Authority, the nation’s largest public power organization, contracted with a private cybersecurity firm to bolster its cyber security defenses.[34]
The Colonial Pipeline attack highlighted the vulnerabilities of the energy infrastructure in the United States. As ransomware threats loom both here and abroad, it may prove useful to reconsider the division of cybersecurity responsibilities between federal and state agencies.
[1] See Tsvetan Tsvetanov & Srishti Slaria, The Effect of the Colonial Pipeline Shutdown on Gasoline Prices, 209 Economics Letters (2021).
[2] See Marisa Iati, How the Colonial Pipeline hack is affecting gas prices and supply, Wash. Post (May 17, 2021), https://www.washingtonpost.com/business/2021/05/12/faq-gas-shortages/; see also Lincoln L. Davies et al., Energy Law and Policy 719 (3rd ed. 2021).
[3] See Iati, supra note 2; see also Davies, supra note 2.
[4] Elle Nakashima, Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes, Wash. Post (Jan. 12, 2018), https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html.
[5] Josephine Wolff, How the NotPetya Attack Is Reshaping Cyber Insurance, Brookings Inst.: Tech Stream (Dec. 1, 2021) https://www.brookings.edu/techstream/how-the-notpetya-attack-is-reshaping-cyber-insurance/.
[6] Ryan Naraine, Ukraine Says Russia Planning ‘Massive Cyberattacks’ on Critical Infrastructure, Security Week (Sept. 26, 2022), https://www.securityweek.com/ukraine-says-russia-planning-massive-cyberattacks-critical-infrastructure.
[7] Cong. Rsch. Serv., R46903, Pipeline Security: Federal Programs 8 (2021).
[8] Ido Kilovaty, Cybersecuring the Pipeline, 60 Houston L. Rev., forthcoming, 104–05 (2023).
[9] U.S. Gov’t Accountability Off., GAO-21-81, Electric Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems 10 (2021).
[10] Kilovaty, supra note 8, at 103.
[11] See David E. Sanger, Nicole Perlroth, Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity, N.Y. Times (May 14, 2021), https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html.
[12] Don Smith, Cybersecurity in the Energy Sector: Are We Really Prepared?, 39 Journal of Energy Nat. Resources L. 265, 265 (2021); Kilovaty, supra note 8, at 103; Id.
[13] See Sanger, supra note 11.
[14] Joe R. Reeder & Tommy Hall, Cybersecurity’s Pearl Harbor Moment, 6 The Cyber Defense Review, 15, 15 (2021).
[15] See Tsvetanov, supra note 1, at 209.
[16] See Sanger, supra note 11.
[17] Fact Sheet: The Biden-Harris Administration Has Launched an All-of-Government Effort to Address Colonial Pipeline Incident, The White House (May 11, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/11/fact-sheet-the-biden-harris-administration-has-launched-an-all-of-government-effort-to-address-colonial-pipeline-incident/.
[18] Id.
[19] Joe R. Reeder & Tommy Hall, Cybersecurity’s Pearl Harbor Moment, 6 The Cyber Defense Review, 15, 15 (2021).
[20] See David Sanger & Julian Barnes, Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity, N.Y. Times (May 12, 2021 https://www.nytimes.com/2021/05/12/us/politics/biden-cybersecurity-executive-order.html; Executive Order on Improving the Nation’s Cybersecurity, CISA (Oct. 31, 2022), https://www.cisa.gov/executive-order-improving-nations-cybersecurity.
[21] Executive Order on Improving the Nation’s Cybersecurity, CISA (Oct. 31, 2022) https://www.cisa.gov/executive-order-improving-nations-cybersecurity.
[22] Software Security in Supply Chains: Enhanced Vendor Risk Assessment, National Institute of Standards and Technology (May 5, 2022) https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-enhanced.
[23] Joseph R. Biden Jr. A Proclamation on Critical Infrastructure Security and Resilience Month, 2022 (Oct. 21, 2022) https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/31/a-proclamation-on-critical-infrastructure-security-and-resilience-month-2022/#:~:text=BIDEN%20JR.%2C%20President%20of%20the,Infrastructure%20Security%20and%20Resilience%20Month.
[24] Ann Neuberger, The White House, What We Urge You To Do To Protect Against The Threat of Ransomware, (June 2, 2021) https://www.whitehouse.gov/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf.
[25] Casey Dolen & Glenn Grimshaw, Opportunities For Cybersecurity Investment In The Bipartisan Infrastructure Investment And Jobs Act, National Governors Association (Aug. 24, 2022), https://www.nga.org/news/commentary/opportunities-for-cybersecurity-investment-in-the-bipartisan-infrastructure-investment-and-jobs-act/.
[26] Rural And Municipal Utility Advances Cybersecurity Grant And Technical Assistance Program, U.S. Dept. of Energy (2022), https://www.energy.gov/bil/rural-and-municipal-utility-advances-cybersecurity-grant-and-technical-assistance-program.
[27] Cyber breach reporting to be required by law for better cyber defense, PwC (Oct. 31, 2022) https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/cyber-breach-reporting-legislation.html.
[28] Brian Cesaratto et al., President Biden Signs into Law Federal Reporting Requirements for Cyber Incidents and Ransomware Payments, The National L. R. (Mar. 18, 2022), https://www.natlawreview.com/article/president-biden-signs-law-federal-reporting-requirements-cyber-incidents-and.
[29] TSA revises and reissues cybersecurity requirements for pipeline owners and operators, TSA (July 21, 2022) https://www.tsa.gov/news/press/releases/2022/07/21/tsa-revises-and-reissues-cybersecurity-requirements-pipeline-owners.
[30] Kilovaty, supra note 8, at 103, 124–25.
[31] Mariam Baksh, Biden Official Endorses Effort to Move Pipeline Cybersecurity Regulation to DOE, Nextgov (May 13, 2021), https://www.nextgov.com/cybersecurity/2022/01/biden-official-endorses-effort-move-pipeline-cybersecurity-regulation-doe/360915/.
[32] 2021-2022 Energy Security State Legislative Review: Cybersecurity and Physical Security, Nat’l Conf. of State Legislatures, https://www.ncsl.org/research/energy/energy-security-legislative-review-cybersecurity-and-physical-security.aspx.
[33] Boratha Tan, States Move to Protect Energy Infrastructure, Nat’l Conf. of State Legislatures (Nov. 9, 2022), https://www.ncsl.org/research/energy/states-move-to-protect-energy-infrastructure-magazine2022.aspx.
[34] Jonathan Greig, New York Power Authority to beef up cybersecurity with new IronNet, AWS deal, ZDNet (Jan. 13, 2022), https://www.zdnet.com/article/new-york-power-authority-to-beef-up-cybersecurity-with-new-ironnet-aws-deal/.
