Continued Threats of Ransomware Attacks
As we reported in our 2021 Year in Preview series, we began 2021 anticipating that ransomware would be a serious threat to critical energy infrastructure. These concerns were realized in May 2021 when the Colonial Pipeline Company’s (“Colonial”) entire 5,500-mile pipeline system carrying liquid fuels was shut down due to a ransomware attack by DarkSide, a hacking group that allegedly has loose ties to the Russian government.
Colonial is far from the only business that has experienced a cyberattack this year—media reports indicate that the energy sector was in the top five most attacked industries in 2021, and at least a quarter of big energy companies are highly susceptible to ransomware attacks. Experts have classified these threats as substantial and growing, and requiring strong action in the face of increasingly sophisticated and destructive hackers.
The attack on Colonial was conducted by exploiting compromised credentials in Colonial’s system, allowing the hackers to access the network. Other attacks have also used this method, as well as through fraudulent domains sent via phishing emails, and by taking advantage of weak email security, allowing hackers to gain access to secure information.
Outdated, unsecured networks and accounts will continue to create a vulnerability for the energy sector in 2022 until these systems are updated. The industry will also need to focus on training employees to identify phishing emails to protect sensitive data. And, perhaps most importantly, the industry is in need of clear, centralized leadership on how to navigate this serious and growing threat.
Threats to Gas and Oil
The Biden Administration released both an Executive Order and a Memorandum to improve cybersecurity. However, neither directly addressed the challenges the energy sector faces. The Executive Order was in the works prior to the attack on Colonial and did not address ransomware attacks and only applies to the federal government and federal government contractors and suppliers, not private sector actors. The Memorandum, which came several months after the Colonial attack, did not address the segmented and incomplete oversight of cybersecurity concerns at the federal level, particularly with respect to the energy sector, leaving the industry without strong leadership on this issue.
The Transportation Security Administration (“TSA”), which oversees U.S. gas and oil pipelines, has taken some steps to fill this leadership void, releasing two Security Directives after the Colonial attack. Prior to the attack, TSA’s oversight was primarily focused on physical security, and TSA had only released voluntary guidelines regarding cybersecurity. The initial directive was released in the wake of the ransomware attack and required pipeline operators to report attacks, to designate a cybersecurity coordinator to act as the primary contact for cyber-related activities, and to review and assess current cyber practices. The second directive came several months later and seems to have been far more comprehensive. The directive itself has been deemed sensitive and not released to the public, but the press release indicated that pipeline operators will be required to implement specific mitigation measures against ransomware attacks and other known threats, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
However, these directives were implemented without comment from stakeholders or the public, and were not implemented through the formal rulemaking process, which may make them vulnerable to challenge in the long run.
Threats to the Bulk Power System
Unlike oil and gas pipelines, the bulk power system–the large, interconnected electrical system including generation and transmission facilities–is overseen by the Federal Energy Regulatory Commission (“FERC”) and complies with standards set by the North American Electric Reliability Corporation (“NERC”). NERC has issued comprehensive cybersecurity standards for the industry. In the past few years, FERC has also taken action to invest in cybersecurity, issuing a White Paper on cybersecurity in 2020 and updated standards in 2021.
At the end of 2021, FERCs cybersecurity practices audit of electrical grid operators indicated that most operators are largely compliant with required cyber measures. However, the report indicated that, there are numerous practices that are not required that would improve security—highlighting that the existing standards do not comprehensively protect bulk power operators from cyber threats. For the coming year, FERC’s audit report recommended enhancing policies and procedures around cybersecurity to address these vulnerabilities.
Throughout 2022, we expect to continue to see emphasis on cybersecurity policy for this industry. Cyber threats continue to grow for energy companies and, as we have seen with Colonial, attacks have far-reaching and potentially devastating impacts for the country. The implementation of formal rules for gas and oil pipelines and the expansion of required rules for electric grid operators will be crucial to protect our access to reliable energy.