November 29, 2021

Volume XI, Number 333

Advertisement
Advertisement

Government Races to Secure Critical Infrastructure in Wake of Colonial Pipeline Ransomware Attack

One of the nation’s largest pipelines, Colonial Pipeline, which carries 45 percent of the East Coast’s fuel supplies, was forced to shut down on May 7 after it was targeted by a ransomware attack. Ransomware is a type of malware where criminal groups encrypt data, effectively “holding it hostage,” until the victim pays a ransom.

Colonial Pipeline resumed operations on May 15. However, the cyberattack has sparked public panic and outcry as parts of the country experience fuel shortages and fuel prices rise to their highest levels in nearly seven years. The incident has also renewed efforts government-wide to strengthen security of U.S. pipelines and the power grid. On May 11, the U.S. House Committee on Energy and Commerce reintroduced bipartisan legislation aimed at bolstering the Department of Energy’s (“DOE”) ability to respond to cybersecurity threats to U.S. energy infrastructure. Among the several measures introduced were:

(1) The Pipeline and LNG Facility Cybersecurity Preparedness Act, which would require DOE to implement a program to coordinate federal agencies, states, and the energy sector to ensure the security, resiliency and survivability of natural gas pipeline, hazardous liquid pipelines and liquefied natural gas (“LNG”) facilities;

(2) The Energy Emergency Leadership Act, which would require the Secretary of Energy to assign energy emergency and energy security functions to an Assistant Secretary, including responsibilities regarding infrastructure and cybersecurity;

(3) The Cyber Sense Act and the Enhancing Grid Security through Public-Private Partnerships Act, which directs the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system; and

(4) The Enhancing Grid Security through Public Private Partnerships Act, which directs the DOE to implement programs to address cybersecurity-related vulnerabilities of, and physical threats to, the electric grid.

Also in response to the Colonial incident, Federal Energy Regulatory Commission (“FERC”) Chairman Richard Glick and Commissioner Alison Clements released a statement on May 10 calling for mandatory pipeline cybersecurity standards similar to the mandatory standards for the electricity sector administered in coordination with the North American Electric Reliability Corporation (“NERC”). FERC’s statement highlighted the lack of “comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines” in the U.S., and that “[s]imply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.” The Transportation Security Administration (“TSA”), which is part of the Department of Transportation, currently provides voluntary cybersecurity guidelines for fuel pipelines. Former Chairman and Commissioner Chatterjee and Chairman Glick have criticized the TSA in the past for its lack of oversight over pipeline security, responsibility for which in 2017 was delegated to just six full-time employees. At that time, FERC called on Congress to vest oversight of pipeline security within the DOE.

President Joe Biden on May 12 signed an executive order to improve the nation’s cybersecurity and protect federal government networks. The executive order, which acknowledges that much of the Nation’s critical infrastructure is privately owned, calls on the private sector to “follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.” The executive order focuses on: government-private information sharing, adoption of a “zero-trust security model” and deployment of multifactor authentication and encryption, improvements to supply chain security, creation of a Cybersecurity Safety Review Board (comprised of government and private sector leaders), improvements to detection, investigation, and remediation capabilities, and development of a cyber-incident response “playbook.” The Biden Administration emphasized that the executive order is “the first of many ambitious steps” to modernize national cyber defenses.

©2021 Pierce Atwood LLP. All rights reserved.National Law Review, Volume XI, Number 138
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Kayla Grant  energy regulatory attorney Portland ME
Associate

Kayla Grant is an experienced energy regulatory attorney with a strong interest in energy policy and regulation. Kayla capitalizes on her prior experience as an attorney advisor to Federal Energy Regulatory Commission (FERC) administrative law judges to advocate for clients in utility ratemaking and electric transmission matters. This includes advising clients on issues related to FERC jurisdiction, cost-of-service and formula transmission rates, electric utility tariffs, and RTO/ISO markets. Kayla also assists clients with North American Electric Reliability Corporation (NERC) Reliability...

207-791-1228
Randall S. Rich Pierce Atwood Partner DC Energy Energy Infrastructure Project Development & Finance
Partner

Randall Rich is the Leader of our Energy Practice Group and the partner-in-charge of the Washington, DC office. Throughout his over 38 years of experience, beginning in the Office of General Counsel of the Federal Energy Regulatory Commission (FERC) and continuing for more than 23 years at Bracewell, LLP, Randy always strives to form close personal bonds with clients as well as trusting relationships with both regulators and his colleagues in the energy bar. He gains an intimate understanding of the business and legal needs of clients by working for extended periods in their offices, hand-...

202- 530-6424
Advertisement
Advertisement
Advertisement