8 minute read
Will fuel shortages spur far-reaching action?
Drue Pearce, former Deputy Administrator of the Pipeline and Hazardous Materials Safety Administration, gives her view on what changes should result from the Colonial Pipeline ransomware attack.
hen Colonial Pipeline announced on 8 May 2021 that it had shut in its entire pipeline system due to a ransomware attack, most residents in the twelve states and District of Columbia that are served by the Colonial system did not expect to be impacted. But just as panic-buying and hoarding resulted in wide-spread shortages of toilet paper when Americans were first told to stay at home due to the COVID-19 pandemic, the fear of fuel shortages exacerbated by media and social media reports caused nervous drivers to create gridlock at gas stations from Houston to northern New Jersey. By 12 May, even as Colonial restored operations and announced fuel delivery timelines, the frenzy resulted in reports of at least 12 000 gas pumps being completely dry. By 17 May, fuel outages persisted in many affected states and gas prices hit their highest prices in six years, according to AAA data. GasBuddy reported that five states and the District of Columbia were still experiencing fuel outages of at least 10% on 1 June.
Few situations strike the same level of fear and angst in Americans as the specter of an empty gas tank. From Barrow to Key West, whether we are filling cars, pickups, snow machines, or boats, we insist upon having the ability to travel where we want, when we want. People on the west coast anxiously asked state leaders whether they would be impacted by the shortages and airline passengers across the nation were concerned that upcoming flights might be cancelled.
America was mesmerised by fuel gauges. Americans were horrified by spiking prices at the pump.
Cybersecurity events have dramatically increased over the past two years, with triple digit percentage increases in attacks on the retail and healthcare sectors as well as double digit increases in
the government sector. But no single event captured the attention of Americans like the Colonial Pipeline ransomware attack and ensuing gas shortages and price spikes. The national security threat posed by cybercriminals whose attacks affect citizens going about their daily business sparked headlines, dinner table discussions, and outrage. Even though Colonial recovered full pipeline operations within five days, while the average recovery time is 21 days, it was quickly hit with at least two lawsuits seeking class action status that claim their cybersecurity defenses were inadequate.
Many in the cybersecurity market, echoed by politicians, were quick to criticise Colonial. And, predictably, politicians at the local, state, and federal level were quick to react.
Ramifications The initial and ongoing reactions have long-term implications for Colonial and other product pipelines as well as other companies that transport oil and natural gas. Ramifications will likely follow for every sector of the US economy, with bottom lines being impacted.
Federal Energy Regulatory Commission Chair Richard Glick called for mandatory pipeline cybersecurity standards on 10 May. President Biden signed an Executive Order on Improving the Nation’s Cybersecurity on 12 May. Energy Secretary Jennifer Granholm made several statements culminating in a declaration that more comprehensive cyber standards are needed for the energy sector. The Transportation Security Administration (TSA) issued a Security Directive on 27 May that requires pipeline owners to report cyber incidents and to review their current cyber practices, and then report gaps and mitigation plans to both TSA and to sister agency Cybersecurity and Infrastructure Security Agency (CISA). And TSA’s Assistant Administrator Sonya Proctor testified before the House Transportation & Maritime Security and Cybersecurity, Infrastructure Protection and Innovation Subcommittees on 15 June that a coming directive “will require more mitigation measures, which includes more specific requirements with regard to assessments.” She also said inspections of cyber systems will increase and accountability will be assured.
Congress was quick to act, too. Bills that went nowhere in previous sessions were reintroduced, hearings were scheduled, and ideas for new mandates were floated by members of both the House and Senate.
Industry reacted, with the American Petroleum Institute’s (API) Suzanne Lemieux cautioning that any new mandates need to be practicable, pointing out that a requirement to report each of the tens of thousands of phishing attempts alone on every pipeline company every day would be inefficient and ineffective. Companies defended their cybersecurity protection systems, pointing out the millions of dollars they spend annually preventing ransomware, hacking, phishing, malware, spyware, and other attacks. They pointed to the update that is already underway to API Standard 1164, “Pipeline SCADA Security”, that will incorporate the National Institute of Standards and Technology (NIST) Cybersecurity Framework and ISA/IEC 62443 standard.
The need to improve oversight From my vantage point as a former Pipeline and Hazardous Materials Safety Administration (PHMSA) Deputy Administrator, it appears that Colonial was effective at quickly isolating the system that was attacked by the ransomware. Pipeline companies have made cybersecurity a Board level issue both because they recognise the importance of the critical infrastructure they operate to the nation’s national and economic security, but also because of the significant financial impacts of any successful attack. Cybersecurity insurance coverage is extremely expensive and riddled with exclusions when available at all.
Ransomware and other types of cyberattacks that imperil the safe operation of a country’s transportation systems must be recognised as national security threats. We must also recognise that the US energy industry is very diverse, with many players large and small, including both foreign and domestic ownership.
While there are calls for moving authority for critical infrastructure cybersecurity like pipelines from TSA to the Department of Energy (DOE), such a move would be a mistake. Rather than moving the authority, the Biden Administration should focus on improving oversight. There are several different departments and agencies involved in pipeline and cybersecurity regulation; what is needed are communication, co-ordination, collaboration, cooperation, and clarification of authorities rather than conflict between TSA and CISA at DHS, PHMSA, FERC, and DOE. The federal government should approach any new regulatory action using a partnership model in which they work with industry to create an efficient and effective regime that is practicable to implement.
New, more sophisticated cyberattack technology is constantly emerging. In some cases, the private sector recognises emerging threats more quickly than our government. Some energy companies have more sophisticated security systems than any government. Government and industry should work to ensure that information about emerging threats is shared – and shared in a timely manner between agencies – between companies, and across a public-private partnership. It is imperative that any new regulatory measures provide the flexibility necessary to allow both agencies and pipeline companies to react quickly to emerging threats.
A cyberattack is a criminal offense. While the importance of shared information cannot be underestimated, sensitive and privileged information must be protected by both the government and by private companies. Government agencies must determine who has access and how top-secret information will be utilised.
Steps to take now Regulation promulgation is a tedious process, even when driven by threats to national security. The clarification of authorities that is necessary requires statutory changes that can only be accomplished if Congress acts. What should pipeline and other energy infrastructure companies do while waiting for new regulatory action?
First, they should continue to advocate for an efficient, effective, and flexible regulatory regime that clarifies which agency has what authority. Their work to update API Standard 1164 should be accelerated.
Companies of all sizes must review their cyber policies and procedures. Cybersecurity should be written into strategic plans and every employee should be trained and retrained repeatedly
about threat awareness. Incident response and recovery planning should include cyber-related events, with the appropriate level of exercises that will lessen confusion and paralysis in the case of a successful attack.
The industries’ trade associations should explore options for providing cyber-related insurance coverage to their members. Successful cyberattacks can result in severe economic harm and pipeline companies are eager to limit the damage these costs have on their corporate reputations, shareholder relationships, and bottom line. Victims of cyberattacks will be ever more concerned about costly litigation stemming from cyber-related supply interruptions.
I have a mantra that I use to advocate for pipeline companies to implement safety management systems: “You’re only as good as your worst contractor.” In the case of cybersecurity protection, I would expand that to include all external parties with whom a company shares computer systems and data. In order to secure their systems, each pipeline company should ensure that every one of their vendors, contractors, partners, customers, and even government agencies with whom they share data, have adequate cybersecurity practices.
Unfortunately, Americans have short attention spans – today they are no longer mesmerised by their fuel gauges. Concern about prices at the pump is more likely to be considered as part of an all-encompassing fear of inflation than as a result of the Colonial ransomware attack. But it would be a mistake to wait for the next crisis to act. Just as the Exxon Valdez oil spill resulted in major changes to the entire industry’s marine transportation practices, the Colonial pipeline five-day shutdown and panicinduced gasoline shortages should result in major changes to the US government’s and industry’s approach to fighting the national security threat posed by ever evolving cybersecurity terrorism.
About the author Drue Pearce is the Government Affairs Director in Holland & Hart LLP’s Anchorage, Alaska office. She was the Deputy Administrator of the Pipeline and Hazardous Materials Safety Administration during the Trump Administration and previously served in the Alaska State Senate where her committees had primary jurisdiction rewriting the state’s oil spill prevention and response statutes after the Exxon Valdez grounded on Bligh Reef.
Bibliography
https://www.gasbuddy.com/go/colonial-pipeline-shutdown-fuel-outages-by-state https://gasprices.aaa.com/southeast-continues-to-see-tight-supply-as-gas-pricesstabilize/ https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/ executive-order-on-improving-the-nations-cybersecurity/ https://www.ferc.gov/news-events/news/statement-ferc-chairman-richard-glickchairman-glick-and-commissioner-clements https://thehill.com/policy/cybersecurity/554364-energy-secretary-granholmexpresses-openness-to-cyber-standards-for https://www.spglobal.com/platts/en/market-insights/latest-news/electricpower/052821-us-energy-secretary-calls-for-more-cyber-standards-on-oil-gasinfrastructure https://www.api.org/news-policy-and-issues/cybersecurity https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurityrequirements-critical-pipeline-owners-and-operators https://www.isa.org/intech-home/2018/september-october/departments/newstandard-specifies-security-capabilities-for-c https://homeland.house.gov/activities/hearings/cyber-threats-in-the-pipelinelessons-from-the-federal-response-to-the-colonial-pipeline-ransomware-attack . https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecuritystats-------what-you-need-to-know-for-2021/?sh=75c6289158d3
