On May 10, 2021, the hacking group DarkSide succeeded in shutting down the Colonial Pipeline with a ransomware attack that highlighted the vulnerability of the U.S. energy sector to cyberattacks.  The attack led to a panic among many consumers in the Southeast, resulting in a fuel shortage throughout several states.  According to media reports, Colonial Pipeline paid $4.4 million in ransom to DarkSide to get its system back online.

DarkSide and other, similar hacking groups have developed strategies that put companies in leveraged positions, making negotiating with DarkSide nearly impossible.  The hackers use a “double extortion” method to put pressure on companies by stealing sensitive and confidential information from companies’ systems prior to unleashing the malware.  If the targeted company refuses to pay the ransom to get its systems back online, the hackers will threaten to release the private information.  Another tactic these groups use is to steal the financial data and revenue information of a targeted company as proof that the company can afford the proposed ransom amount

During the COVID-19 pandemic, hackers have taken down numerous businesses, hospitals, schools, and government agencies using these tactics.  Companies have been particularly vulnerable during this time, as normal security perimeters have been stretched due to many employees working remotely.  As we have previously blogged about, the energy sector – particularly gas assets – remains increasingly vulnerable due to the lack of cybersecurity regulation, the outdated infrastructure, and the size of the systems.

In the wake of the attack on Colonial Pipeline, the federal government has taken several steps to begin to address vulnerabilities in the country’s cybersecurity infrastructure.  On May 12, 2021, two days after the Colonial Pipeline attack, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity (the “Order”).  A few weeks later on May 27, 2021, the Transportation Security Administration (“TSA”) released a security directive (the “Directive”) which directly addresses cybersecurity of pipelines.

The Executive Order

While the Order came right on the heels of the Colonial Pipeline cyberattack, it had been in the works for months prior and does not directly address the type of the ransomware attack on Colonial.  The stated goal of the Order is to improve the federal government’s efforts in identifying, protecting against, and responding to threats to cybersecurity and privacy.  The Order indicates that this will involve collaborating with the private sector and making bold and significant investments to protect American infrastructure and institutions.  Importantly, the Executive Order:

• removes barriers for information sharing related to cyber threats. Information Technology (“IT”) and Operational Technology (“OT”) service providers have unique access to and insight on cyber threats, but their contract terms often prevent them from sharing information about these threats with the executive departments and agencies that oversee cybersecurity and investigate cyber threats, including the Cybersecurity and Infrastructure Security Agency (“CISA”), the FBI, and other agencies;
• eliminates contractual barriers and requires the service providers to report cyber incidents to agencies to promote information sharing and improve the effectiveness of oversight by these agencies;
• includes steps to modernize the federal government’s cybersecurity by requiring agencies to transition to secured cloud-based technologies;
• provides that the Director of the Office of Management and Budget, the Secretary of CISA, and the Federal Risk and Authorization Management Program will collaborate to develop a cloud-security strategy and provide guidance to agencies on use of cloud-based services going forward;
• establishes a plan to enhance software supply chain security whereby the Secretary of Commerce will work with the federal government, private sector, and academia to identify and develop standards, tools, and best practices to enhance security of the software supply chain and to ensure certain data from software developers is available for review by the government;
• authorizes the Secretary of Homeland Security, in consultation with the U.S. Attorney General, to establish the Cyber Safety Review Board (“Board”) comprised of public- and private-sector officials, including representatives from the Department of Defense, the Department of Justice, CISA, the National Security Agency, and the FBI;
• creates a standard playbook for responding to cyber incidents and attacks to standardize response procedures across the federal government and to ensure a more coordinated, streamlined, and transparent response to cyber incidents and attacks;
• improves detection of cybersecurity incidents on federal government networks to enable a government-wide endpoint detection and response system and improve information sharing and maximize early detection of vulnerabilities; and
• improves investigative and remediation capabilities by authorizing the Secretary of Homeland Security to aid in the development of a log for cyber incidents and attacks that will enhance the ability for agencies to detect intrusions and vulnerabilities and to react to threats more efficiently.

TSA Security Directive

A small staff within TSA oversees the security of millions of miles of U.S. gas and oil pipelines.  TSA’s oversight includes both physical and cyber security for pipelines.  In the past, TSA was primarily focused on the physical security of pipelines, although it did release voluntary guidelines on cybersecurity in 2002, most recently updated in 2018 (“TSA Guidelines”).  In light of the Colonial Pipeline attack, however, TSA has shifted its focus towards cybersecurity issues.  On May 27, 2021, TSA released the Directive, which requires three specific actions from pipelines to enhance cyber security.

TSA’s Directive:

• requires pipeline operators to report cyber incidents and attacks to TSA and CISA “as soon as practicable,” but at least within 12 hours of an attack; reportable incidents include malicious software and unauthorized access to IT/OT systems and physical attacks on the network structure;
• requires pipeline operators to designate a primary and alternate Cybersecurity Coordinator and provide their information to TSA within seven days of the Directive as to who will serve as the primary contact for cyber-related intelligence and activities with TSA and CISA and must be accessible to these agencies twenty-four hours a day, seven days a week; and
• requires pipeline operators to review and assess their current cyber practices and activities against the voluntary TSA Guidelines to identify security gaps and potential remediation methods.

In the coming weeks, TSA anticipates releasing additional robust, mandatory rules, including steps to safeguard assets and required actions in the event of an attack.  These rules will likely include fines for violations.

Impacts of These Regulatory Changes

While the Executive Order includes many standards and requirements for the federal government, the reach of the Order is actually quite narrow, as it only applies to the federal government and federal government contractors and suppliers.  Because the vast majority of energy infrastructure within the U.S. is owned and operated by private sector actors, those companies will not be subject to these requirements.

Unlike the Order, the TSA Directive directly addresses vulnerabilities in cybersecurity within the energy sector.  The Directive and upcoming mandatory rules mark a substantial shift in the relationship TSA has had with pipelines in the past, which was defined by voluntary participation and cooperation, rather than mandated rules.  Many industry actors are wary of the change and would prefer to see a more conservative, cautious approach to developing regulations, citing concerns about overlapping and conflicting regulations coming from TSA and the Department of Energy.  However, the Biden Administration, as well as many in Congress, have signaled a strong preference for the swift implementation of stricter, mandatory regulations to protect infrastructure.  The Chair of the Federal Energy Regulatory Commission (“FERC”) also supports holding gas assets to the same standards as electric grid companies.

While the government and gas industry debate about the best approach to oversight and regulation, there is one clear issue with the upcoming TSA rules: enforcement.  In 2019, TSA only had five staff that handled pipeline security, but the U.S. has over 2.7 million miles of pipeline, and over 3,000 companies who work in the industry.  The Department of Homeland Security (“DSA”), which houses TSA and CISA, has indicated it intends to hire at both agencies to ensure proper staffing to enforce these regulatory changes.  While there may be some bumps in the road as new rules are implemented and dozens of new DHS staff are on-boarded to oversee these rules, it is a critical first step to creating a more comprehensive regulatory scheme.