Government Races to Secure Critical Infrastructure in Wake of Colonial Pipeline Ransomware Attack

One of the nation’s largest pipelines, Colonial Pipeline, which carries 45 percent of the East Coast’s fuel supplies, was forced to shut down on May 7 after it was targeted by a ransomware attack. Ransomware is a type of malware where criminal groups encrypt data, effectively “holding it hostage,” until the victim pays a ransom.

Colonial Pipeline resumed operations on May 15. However, the cyberattack has sparked public panic and outcry as parts of the country experience fuel shortages and fuel prices rise to their highest levels in nearly seven years. The incident has also renewed efforts government-wide to strengthen security of U.S. pipelines and the power grid. On May 11, the U.S. House Committee on Energy and Commerce reintroduced bipartisan legislation aimed at bolstering the Department of Energy’s (“DOE”) ability to respond to cybersecurity threats to U.S. energy infrastructure. Among the several measures introduced were:

(1) The Pipeline and LNG Facility Cybersecurity Preparedness Act, which would require DOE to implement a program to coordinate federal agencies, states, and the energy sector to ensure the security, resiliency and survivability of natural gas pipeline, hazardous liquid pipelines and liquefied natural gas (“LNG”) facilities;

(2) The Energy Emergency Leadership Act, which would require the Secretary of Energy to assign energy emergency and energy security functions to an Assistant Secretary, including responsibilities regarding infrastructure and cybersecurity;

(3) The Cyber Sense Act and the Enhancing Grid Security through Public-Private Partnerships Act, which directs the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system; and

(4) The Enhancing Grid Security through Public Private Partnerships Act, which directs the DOE to implement programs to address cybersecurity-related vulnerabilities of, and physical threats to, the electric grid.

Also in response to the Colonial incident, Federal Energy Regulatory Commission (“FERC”) Chairman Richard Glick and Commissioner Alison Clements released a statement on May 10 calling for mandatory pipeline cybersecurity standards similar to the mandatory standards for the electricity sector administered in coordination with the North American Electric Reliability Corporation (“NERC”). FERC’s statement highlighted the lack of “comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines” in the U.S., and that “[s]imply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.” The Transportation Security Administration (“TSA”), which is part of the Department of Transportation, currently provides voluntary cybersecurity guidelines for fuel pipelines. Former Chairman and Commissioner Chatterjee and Chairman Glick have criticized the TSA in the past for its lack of oversight over pipeline security, responsibility for which in 2017 was delegated to just six full-time employees. At that time, FERC called on Congress to vest oversight of pipeline security within the DOE.

President Joe Biden on May 12 signed an executive order to improve the nation’s cybersecurity and protect federal government networks. The executive order, which acknowledges that much of the Nation’s critical infrastructure is privately owned, calls on the private sector to “follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.” The executive order focuses on: government-private information sharing, adoption of a “zero-trust security model” and deployment of multifactor authentication and encryption, improvements to supply chain security, creation of a Cybersecurity Safety Review Board (comprised of government and private sector leaders), improvements to detection, investigation, and remediation capabilities, and development of a cyber-incident response “playbook.” The Biden Administration emphasized that the executive order is “the first of many ambitious steps” to modernize national cyber defenses.

Pierce Atwood’s energy infrastructure attorneys will be monitoring changes to the cybersecurity landscape and the impacts to the energy sector as they develop. If you have questions about how these developments might affect your project, please contact Randy Rich, Kayla Grant, Peter Guffin, and Vivek Rao.