On May 10, 2021, the hacking group DarkSide succeeded in shutting down the Colonial Pipeline with a ransomware attack that highlighted the vulnerability of the U.S. energy sector to cyberattacks. The attack led to a panic among many consumers in the Southeast, resulting in a fuel shortage throughout several states. According to media reports, Colonial Pipeline paid $4.4 million in ransom to DarkSide to get its system back online.
DarkSide and other, similar hacking groups have developed strategies that put companies in leveraged positions, making negotiating with DarkSide nearly impossible. The hackers use a “double extortion” method to put pressure on companies by stealing sensitive and confidential information from companies’ systems prior to unleashing the malware. If the targeted company refuses to pay the ransom to get its systems back online, the hackers will threaten to release the private information. Another tactic these groups use is to steal the financial data and revenue information of a targeted company as proof that the company can afford the proposed ransom amount
During the COVID-19 pandemic, hackers have taken down numerous businesses, hospitals, schools, and government agencies using these tactics. Companies have been particularly vulnerable during this time, as normal security perimeters have been stretched due to many employees working remotely. As we have previously blogged about, the energy sector – particularly gas assets – remains increasingly vulnerable due to the lack of cybersecurity regulation, the outdated infrastructure, and the size of the systems.
In the wake of the attack on Colonial Pipeline, the federal government has taken several steps to begin to address vulnerabilities in the country’s cybersecurity infrastructure. On May 12, 2021, two days after the Colonial Pipeline attack, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity (the “Order”). A few weeks later on May 27, 2021, the Transportation Security Administration (“TSA”) released a security directive (the “Directive”) which directly addresses cybersecurity of pipelines.
The Executive Order
While the Order came right on the heels of the Colonial Pipeline cyberattack, it had been in the works for months prior and does not directly address the type of the ransomware attack on Colonial. The stated goal of the Order is to improve the federal government’s efforts in identifying, protecting against, and responding to threats to cybersecurity and privacy. The Order indicates that this will involve collaborating with the private sector and making bold and significant investments to protect American infrastructure and institutions. Importantly, the Executive Order:
TSA Security Directive
A small staff within TSA oversees the security of millions of miles of U.S. gas and oil pipelines. TSA’s oversight includes both physical and cyber security for pipelines. In the past, TSA was primarily focused on the physical security of pipelines, although it did release voluntary guidelines on cybersecurity in 2002, most recently updated in 2018 (“TSA Guidelines”). In light of the Colonial Pipeline attack, however, TSA has shifted its focus towards cybersecurity issues. On May 27, 2021, TSA released the Directive, which requires three specific actions from pipelines to enhance cyber security.
In the coming weeks, TSA anticipates releasing additional robust, mandatory rules, including steps to safeguard assets and required actions in the event of an attack. These rules will likely include fines for violations.
Impacts of These Regulatory Changes
While the Executive Order includes many standards and requirements for the federal government, the reach of the Order is actually quite narrow, as it only applies to the federal government and federal government contractors and suppliers. Because the vast majority of energy infrastructure within the U.S. is owned and operated by private sector actors, those companies will not be subject to these requirements.
Unlike the Order, the TSA Directive directly addresses vulnerabilities in cybersecurity within the energy sector. The Directive and upcoming mandatory rules mark a substantial shift in the relationship TSA has had with pipelines in the past, which was defined by voluntary participation and cooperation, rather than mandated rules. Many industry actors are wary of the change and would prefer to see a more conservative, cautious approach to developing regulations, citing concerns about overlapping and conflicting regulations coming from TSA and the Department of Energy. However, the Biden Administration, as well as many in Congress, have signaled a strong preference for the swift implementation of stricter, mandatory regulations to protect infrastructure. The Chair of the Federal Energy Regulatory Commission (“FERC”) also supports holding gas assets to the same standards as electric grid companies.
While the government and gas industry debate about the best approach to oversight and regulation, there is one clear issue with the upcoming TSA rules: enforcement. In 2019, TSA only had five staff that handled pipeline security, but the U.S. has over 2.7 million miles of pipeline, and over 3,000 companies who work in the industry. The Department of Homeland Security (“DSA”), which houses TSA and CISA, has indicated it intends to hire at both agencies to ensure proper staffing to enforce these regulatory changes. While there may be some bumps in the road as new rules are implemented and dozens of new DHS staff are on-boarded to oversee these rules, it is a critical first step to creating a more comprehensive regulatory scheme.