February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

Energy and Infrastructure Companies Need to Know about the DOE’s and Other Agencies’ Focus on Cybersecurity

On March 18, 2021, the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced three new research programs that are “designed to safeguard and protect the U.S. energy system” from potential cyberattacks. The DOE also announced a 100-day plan to address cybersecurity risks to the U.S. electric system. Not to be left behind, the Transportation Security Administration (TSA) issued a new security directive in light of the Colonial Pipeline cyberattack. Together, these agency actions demonstrate the scale and intensity of the threat to the energy industry and the focus of the government to curb the threat to our national infrastructure systems. Energy companies should monitor these developments and assess their internal controls to ensure they are cyber-resilient.

The Colonial Pipeline cyberattack surfaced on May 7, 2021, and confronted residents of many Southern states with a real possibility of running out of gas. But, in the days leading up to the ransomware attack, the DOE and the Biden administration were already turning their attention to cyberthreats to the energy industry. The electric system was of special concern, being another piece of critical infrastructure vulnerable to attacks — extensive power interruptions could have devasting consequences. The Colonial Pipeline cyberattack vividly demonstrates that the post-9/11 sensitivity to terrorists’ physical threats must now include cyber threats.

Less than a week after the pipeline restarted, the DOE revealed its three-prong research plan. The research programs will focus on: (1) securing against vulnerabilities in globally sourced technologies; (2) developing solutions to electromagnetic and geomagnetic interference; and (3) cultivating both research on cybersecurity solutions and the new talent needed to deploy it. The emphasis on the supply chain echoes anxieties in the Executive Order on Improving the Nation’s Cybersecurity, with its goals for the security of commercial software.

Importantly, the DOE is attempting to work with the industry. It kicked off its implementation of a 100-day plan — a plan formed by the Biden administration “to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain” — by soliciting input from stakeholders. Through a Request for Information (RFI), the Office of Electricity sought comments from the public on various aspects of the electric infrastructure. When the public-comment period closed on June 7, 2021, nearly 100 entities had submitted comments. The energy industry is fully as interested in these issues as is the government.

Directly responding to the Colonial Pipeline cyberattack, the Department of Homeland Security (DHS) — through the TSA — issued Security Directive Pipeline-2021-01, aimed at tightening its control of pipelines’ security. The directive requires that critical pipeline operators (1) report cyber incidents; (2) designate a Cybersecurity Coordinator; and (3) assess, remediate, and report their cybersecurity measures. Failures to correct deficiencies or to comply with the new rules could result in substantial fines under the TSA’s enabling statute.

Federal agencies and the Biden administration are giving strong, coordinated signals that — as a result of cyber threats and attacks — lax standards, minimal enforcement, and carrots for compliance are things of the past. However, the large number of agencies and divisions with enforcement powers could make compliance confusing and difficult — especially if different critical infrastructure industries are subject to different standards. As a result, infrastructure and energy companies should take action now to harden their security measures. Best practices will help mitigate not only government scrutiny, but also the threat of an attack.

© 2023 Bradley Arant Boult Cummings LLPNational Law Review, Volume XI, Number 200

About this Author

Lyndsay E. Medlin Compliance Attorney Bradley Arant Boult Cummings Charlotte

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal civil investigative demands, and state regulatory inquiries for financial services, healthcare, life sciences, and government contractor clients, and working closely with clients across industries to protect their business interests...

Andrew Tuggle IP Attorney Bradley Law Firm Huntsville

Andrew Tuggle’s practice focuses on technology and intellectual property law. He helps clients protect their innovations and comply with laws about data and technology.

Andrew helps clients protect their innovations through patents, trademarks, and trade secrets. With a strong technical background, he advises clients on how to comply with laws about cybersecurity, data privacy, digital assets, and exports.

Prior to law school, Andrew worked for a large, multinational hardware manufacturer; for a small engineering-design startup; and in academic DARPA- and G8-funded research....