This post is a follow up from our recent discussion of the cyberattack that took the 5,500-mile Colonial Pipeline offline last week and the growing threat ransomware poses to our nation’s energy system. On May 10, 2021, a group called DarkSide took responsibility for the ransomware and the FBI has since confirmed the group’s involvement. DarkSide indicated that the attack was financially, not politically, motivated. DarkSide, which allegedly has loose ties to the Russian government, has targeted several other companies recently, including other, smaller U.S. power companies.
In the wake of the attack on Colonial Pipeline, several states in the Southeast continue to suffer from the effects of the shutdown, including low or no supply of gas and spiking fuel prices. Colonial Pipeline anticipates that the system will be begin restoring service by week’s end.
Homeland Security’s Threat Assessment
The inevitability of a large-scale cyberattack in the energy sector has been the source of discussion in recent months. In the fall of 2020, for example, the Department of Homeland Security (“DHS”) released a 2020 Homeland Threat Assessment (“HTA”) that sought to identify the primary threats facing the nation and to analyze information coming from all DHS operations. According to the HTA, cyber threats to the nation from both nation-states and non-state actors will remain “acute” and the nation’s critical infrastructure, including energy, health care and transportation sectors, should expect advanced threats of cyber-attacks. The HTA emphasized that these attacks, designed to disrupt, destroy and obtain both sensitive information and money, would be directed at both private and public sector entities.
GAO’s Report on Electricity Grid’s Cybersecurity
More recently, the concern over cyberattacks was highlighted in a March 2021 report by the Government Accountability Office (“GAO”). The GAO’s report examined the risk of attacks on electric grid distribution systems and potential mitigation tactics, and identified several key areas of vulnerability:
- Distribution systems are often large and dispersed. As these systems become more reliant on monitoring and control technologies that permit remote access capabilities and increased consumer networked devices, opportunities for cyberattack grow.
- Many of the industrial control systems used by distribution systems are old and out of date. These systems were designed prior to the advent of the Internet and adapting these older systems to new technologies has created additional vulnerabilities.
The report also assessed the protective plans in place to defend distribution systems against cyberattacks. Unlike the bulk power system infrastructure – the large, interconnected electrical system including generation and transmission facilities – distribution utilities are more geographically scattered; they are neither subject to oversight by the Federal Energy Regulatory Commission (“FERC”) nor required to comply with the North American Electric Reliability Corporation’s (“NERC”) extensive cybersecurity standards. Due to growing concerns regarding cyberattacks at the distribution level, however, the federal government, states, and industry actors have begun adopting mitigation and preventative measures to improve the cybersecurity of the grid’s distribution systems. These measures include:
- incorporating cybersecurity into routine oversight responsibilities of public utility commissions, including meeting with utilities and providing risk assessment programs;
- pursuing legislative action to give commissions more direct authority over cybersecurity best practices or hiring cybersecurity-specific personnel to oversee utilities and develop cybersecurity guidelines;
- weaving cybersecurity into internal practices, including trainings and governance structures;
- implementing the Department of Energy’s (“DOE’s”) Cybersecurity Capability Maturity Model, to manage new cybersecurity practices;
- voluntarily adopting NERC’s reliability standards applicable to the bulk power system; and
- educating states and industry actors on cybersecurity through a partnership between NERC and DOE that provides training programs.
The GAO report noted that, despite these measures, DOE has not developed a cybersecurity plan that comprehensively addresses the vulnerabilities and threats to the electric grid and recommended a more complete response to these issues. DOE’s priority, however, remains addressing the risks facing the bulk power system, not distribution assets, since as a cyberattack affecting the bulk power system would have significantly greater repercussions for a larger group of people more quickly than an attack to a distribution system.
Biden Administration Response to Colonial Attack
Cybersecurity is also a priority for the Biden Administration, as evidenced by Biden’s plan to “disrupt and prosecute” DarkSide and the emergency meeting called at the White House after the Colonial attack. The Administration released an executive order (“order”) strengthening cybersecurity for federal agencies and contractors discussed in a recent blog post here. The order will create digital safety standards for agencies and contractors developing software. Any entity violating the order potentially risks having its products banned from sale to the federal government. While the order is limited in scope and does not address sophisticated attacks or private sector entities, it would provide some protection from cyberattacks where data is left vulnerable, unprotected, and easily accessible.
While the HTA, the GAO’s report, and the executive order demonstrate that the government is prioritizing cybersecurity for electric grid assets, none addresses the very real threats faced by gas pipeline assets as recently witnessed in the cyberattack on Colonial Pipeline. Natural gas is now responsible for generating more than 40% of electricity across the U.S. and the need for a robust, national strategy, and certainly one that encompasses both gas and electric assets, is critical. Absent a uniform and comprehensive prevention and mitigation strategy, groups like DarkSide will continue to exploit the vulnerabilities in gas pipelines created from outdated technology, dispersed systems, and the lack of coordinated leadership at the federal level.