The May 7, 2021, ransomware attack against Colonial Pipeline may be a turning point in the way the United States thinks about cybersecurity. The attack underscores the significant threat cyberattacks pose to operational technology (OT) and industrial control systems (ICS)—particularly those in the oil and natural gas industries—and the very tangible harms of cyberattacks.
The Transportation Security Administration (TSA) is expected to issue a two-part directive for pipeline cybersecurity, with the first part coming as soon as this week. To date, the TSA has only issued voluntary guidelines for pipeline cybersecurity, so the upcoming directive will be a significant change in the TSA's approach.
Other legal and regulatory changes may be on the horizon as well, given the high-profile nature of the Colonial Pipeline attack and its after-effects on consumers. Attacks on OT and ICS harm not only the victim companies, but also consumers who depend daily on the critical infrastructure systems those companies operate.
In response to the ransomware attack, operators shut down about 5,500 miles of the Colonial Pipeline system, which runs from Texas to New Jersey and provides approximately 45 percent of the East Coast's gasoline and diesel fuel supply. Even days after Colonial Pipeline began restoring normal operations, news outlets continued to report long lines and higher prices at gas stations around the country and fuel hoarding and shortages in numerous coastal states.
The oil and natural gas industries must prepare for the TSA directive and closer scrutiny of their cybersecurity programs by lawmakers and regulators. Companies can start their preparations by assessing the cyber risks of both their IT and OT environments and implement plans to manage those risks.
Oil and natural gas companies can expect more attention from hackers, too. Ransomware attackers are constantly looking for ways to exert leverage over their victims in order to increase the chances of getting paid. Attacks that bring down OT systems—and the massive outcry that would result when those systems manage critical infrastructure—could be a new stage in those efforts. Colonial Pipeline's operators reportedly paid a ransom of about $4.4 million, highlighting just how lucrative these attacks can be for the perpetrators.
Cyber Threats to Oil and Natural Gas Industry
Cybersecurity attacks against the oil and natural gas industry and OT operators in general are a well-known risk. In March 2018, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an alert detailing repeated cyberattacks by the Russian government against companies in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The alert notes that the attackers had gained remote access to the network of energy companies and collected information pertaining to the companies' ICS.
Recent and notable examples of attacks against oil and natural gas companies include:
- February 2020: CISA reported a ransomware attack 'affecting control and communication assets' on a natural gas compression facility's OT network. CISA noted that the victim company 'failed to implement robust segmentation between the IT and OT networks,' thereby allowing the attacker (identified as a nation-state actor) to move between the two networks and disable computers on both. CISA noted also that the victim company's emergency response plan did not include responding to cyberattacks.
- November 2019: Mexican state oil and gas company Petroleos Mexicanos (Pemex) suffered a widespread ransomware attack that encrypted many of the company's computers and disrupted administrative operations.
- April 2018: Energy Transfer Partners LP and TransCanada Corp., along with several other companies that own U.S. natural gas pipelines and storage facilities, reported that a cyberattack on a third-party electronic communications system caused service interruptions and data outages that affected the scheduling of gas flows.
Perhaps the most infamous attack against the energy industry in general occurred in December 2015, when Ukraine suffered a massive outage of its electrical grid. The outage was the result of a sophisticated cyberattack that seized numerous control systems and remotely switched off substations. Cybersecurity experts have attributed the attack to Russian state-sponsored actors.
And the energy industry is hardly the only target of attacks against OT systems. In February 2021, cyber criminals attacked a Florida wastewater treatment plant and briefly adjusted the levels of sodium hydroxide. Fortunately, operators detected the attack quickly and stopped it. Had they not, attackers could have increased the amount of sodium hydroxide in the water supply to dangerous levels.
Regulation of Oil and Natural Gas Industry Cybersecurity: Guidelines and Voluntary Programs
As of today, there are no specific cybersecurity requirements for oil and natural gas pipelines or other portions of the nation's oil and natural gas infrastructure. This is in sharp contrast to the electric transmission grid, which has been subject to detailed cybersecurity requirements since 2005. Those cybersecurity requirements are incorporated into the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) reliability standards, and NERC has authority under the Federal Power Act (FPA) to impose fines on owners and operators of energy grid infrastructure for failing to comply with those standards.1
The TSA has had primary oversight of cybersecurity for the oil and natural gas industries since the agency was created in 2001. To date, the TSA has taken a voluntary compliance approach, issuing Pipeline Security Guidelines applicable to operational natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, and LNG facility operators, among others.
In early 2020, the TSA and the U.S. Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) signed a memorandum of understanding to, among other things, coordinate 'in the development of standards, regulations, guidelines, or directives having an effect on pipeline transportation security ….' However, no mandatory cybersecurity rules for oil and gas pipeline systems have been issued yet.
CISA manages a Pipeline Cybersecurity Initiative (PCI) to enhance cyber resilience of the nation's pipeline system. However, participation in the PCI is voluntary.
Multiple news outlets are now reporting that mandatory rules for pipeline cybersecurity are on the way.2 Following the Colonial Pipeline attack, TSA has been facing pressure to use its regulatory authority to create such rules. FERC Chairman Richard Glick and Commissioner Allison Clements issued a statement on May 10, 2021, calling for 'mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector.'
Other legal and regulatory changes are possible too. Some lawmakers have questioned whether TSA is the right body to regulate pipeline cybersecurity, echoing concerns raised in a 2018 report by the Government Accountability Office (GAO). The GAO report criticized TSA's program for reviewing pipeline security, finding that the number of reviews TSA conducted varied significantly year-over-year, and stating that TSA 'does not have a strategic workforce plan to help ensure it identifies the skills and competencies—such as the required level of cybersecurity expertise—necessary to carry out its pipeline security responsibilities.'
On May 11, the U.S. House of Representatives' Energy and Commerce Committee reintroduced the Pipeline and LNG Facility Cybersecurity Preparedness Act, which would require the Department of Energy to create a program for regulating pipeline and liquefied natural gas (LNG) facility cybersecurity.
Risk Assessment for IT and OT Environments
In light of the expected TSA directive and heightened attention to pipeline cybersecurity, oil and natural gas companies should consider conducting comprehensive risk analysis of both their IT and OT environments. Risk assessments are a good place to start when enhancing a cybersecurity program, as they help companies identify where their priorities should be and which issues they can deprioritize for now.
TSA's voluntary Pipeline Security Guidelines provide an overview of a risk analysis process for oil and gas firms, including steps to identify potential cyber vulnerabilities, evaluate countermeasures in place, measure cyber risks, and establish strategies for risk management. The Guidelines state that critical facilities should undergo risk analysis at least every three years, and that findings from the risk analysis should be implemented within one year thereafter.
The National Institute of Standards and Technology (NIST) provides very detailed guidance for conducting risk analyses that can be adapted to oil and natural gas facilities. NIST Special Publication 800-30 ('Guide for Conducting Risk Assessments') sets forth a comprehensive methodology for identifying, evaluating, and measuring an organization's cyber risks. NIST Special Publication 800-82 ('Guide to Industrial Control Systems (ICS) Security') includes special considerations for performing risk analyses of ICS, including examination of safety risks, evaluation of physical impacts of ICS incidents, and inclusion of non-digital systems in the analysis.
A comprehensive risk analysis can help a company understand where it should be focusing its cybersecurity resources and justify its risk management decisions. After completion of the analysis, the company can develop and implement a prioritized risk management plan focused on addressing the company's biggest risks while accepting risks that the organization deems manageable.
In performing their risk analysis, oil and natural gas companies should pay close attention to IT and OT environments and evaluate their ability to detect and prevent the hackers from being able to traverse between those two environments. The Colonial Pipeline attack highlights the way that an intrusion of a company's IT network can lead to massive disruption of its OT systems.
Consequently, regulators are likely to examine the measures a company has taken to segregate the two environments and to evaluate whether an attack that originates in one environment can spill into the other. Companies should also spend time evaluating and improving their plans for responding to cybersecurity incidents. In its February 2020 alert on the ransomware attack on a natural gas compression facility, CISA explicitly called out that the victim company did not have a plan for responding to cyber incidents.
1 NERC is an independent body certified by the Federal Energy Regulatory Commission (FERC) to be the nation's Electric Reliability Organization (ERO) under Section 215 of the FPA. Under the FPA, a certified ERO shall file reliability standards with FERC, and both FERC and the ERO have the authority to levy fines on owners and operators who violate FERC-approved standards. See 16 U.S.C. § 824o.
2 See https://www.wsj.com/articles/tsa-to-require-pipeline-operators-to-notify-it-of-cyberattacks-11621960244?mod=djemCybersecruityPro&tpl=cy; https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/.