Persistent Threats of Ransomware Attacks
As we reported in our 2021 Year in Preview series, we entered 2021 anticipating that ransomware would pose a serious threat to critical energy infrastructure. These concerns came to fruition in May 2021 when Colonial Pipeline Company’s (“Colonial”) entire 5,500-mile pipeline system carrying liquid fuels was shut down due to a ransomware attack by DarkSide, a group hack that allegedly has loose ties to the Russian government.
Colonial is far from the only company to have suffered a cyberattack this year – media reports that the energy sector was among the top five industries attacked in 2021, and at least a quarter of large energy companies are highly susceptible to ransomware attacks. Experts have categorized these threats as significant and growing, and requiring aggressive action in the face of increasingly sophisticated and destructive hackers.
The attack on Colonial was carried out by exploiting compromised credentials in Colonial’s system, allowing hackers to gain access to the network. Other attacks have also used this method, as well as through fraudulent domains sent via phishing emails, and taking advantage of weak email security, allowing hackers to access secure information .
Outdated and insecure networks and accounts will continue to create vulnerability for the energy sector in 2022 until these systems are updated. The industry will also need to focus on training employees to identify phishing emails to protect sensitive data. And, perhaps most importantly, the industry needs clear, centralized leadership on how to navigate this serious and growing threat.
Gas and Oil Threats
The Biden administration issued both an executive order and a memorandum to improve cybersecurity. However, neither directly addressed the challenges facing the energy sector. The executive order was in the works prior to the attack on Colonial and did not address ransomware attacks and only applies to the federal government and federal government contractors and suppliers, not private sector actors. The protocol, which came several months after the colonial attack, failed to address the segmented and incomplete oversight of cybersecurity issues at the federal level, particularly as it relates to the energy sector, leaving the industry without strong leadership on this issue.
The Transportation Security Administration (“TSA”), which oversees US gas and oil pipelines, has taken steps to fill this leadership void, issuing two security directives after the colonial attack. Prior to the attack, TSA oversight focused primarily on physical security, and the TSA had only issued voluntary guidelines regarding cybersecurity. The initial directive was issued following the ransomware attack and required pipeline operators to report attacks, designate a cybersecurity coordinator to act as the primary contact for cybersecurity-related activities, and examine and evaluate current cyber practices. The second directive came several months later and appears to have been much more comprehensive. The directive itself was deemed sensitive and has not been made public, but the press release indicates that pipeline operators will be required to implement specific mitigations against ransomware attacks and other known threats, develop and implement a cybersecurity contingency and recovery plan, and conduct a design review of the cybersecurity architecture.
However, these guidelines have been implemented without stakeholder or public comment, and have not been implemented through the formal rule-making process, which may leave them vulnerable to long-term challenge. term.
Threats to the Bulk Power System
Unlike oil and gas pipelines, the bulk power system – the large interconnected electrical system comprising generation and transmission facilities – is overseen by the Federal Energy Regulatory Commission (“FERC”) and conforms to standards set by the North American Electric Reliability Corporation (“NERC”). NERC has published comprehensive cybersecurity standards for the industry. In recent years, FERC has also taken steps to invest in cybersecurity, releasing a cybersecurity white paper in 2020 and updated standards in 2021.
In late 2021, FERC’s Cybersecurity Practices Audit of Power Grid Operators indicated that most operators were largely in compliance with required cybermeasures. However, the report says there are many non-required practices that would improve security, pointing out that existing standards do not fully protect bulk power operators from cyber threats. For the coming year, the FERC audit report recommended improving cybersecurity policies and procedures to address these vulnerabilities.
Throughout 2022, we plan to continue to focus on cybersecurity policy for this industry. Cyber threats continue to grow for energy companies and, as we saw with Colonial, attacks have far-reaching and potentially devastating effects for the country. Implementing formal rules for gas and oil pipelines and expanding the rules required for power grid operators will be crucial to protecting our access to reliable energy.