As has been reported, a recent ransomware attack has caused an interstate pipeline and fuel supplier to much of the eastern United States to shut down its operations. Although the attack did not compromise operational systems, the company opted to cease operations as a precautionary measure. The FBI confirmed that the attack was carried out by an international criminal gang of hackers. The US Department of Energy, Cybersecurity and Infrastructure Security Agency, FBI, and other government officials are working directly with the pipeline to restore operations.
This recent attack has highlighted the cybervulnerabilities of private infrastructure that is critical to national security, the economy, and overall public health. As we reported previously, the increase in cyberattacks on pipelines and other critical infrastructure continues to raise concerns over the adequacy of federal government oversight and related questions, including the following.
Political Focus on Safeguarding Critical Infrastructure
Infrastructure investment is featured prominently in the nation’s current political discourse. President Joseph Biden’s sprawling infrastructure agenda seeks to spur investments in energy infrastructure and shore up cyberdefenses for critical industrial control systems, particularly in the electric sector. In his May 10 statement on the ransomware attack, for example, President Biden touted the launch of an interagency 100-day plan to confront cyberthreats in the electric industry, with plans to roll out similar initiatives across other critical sectors, such as water and natural gas.
Lawmakers are adding to the chorus. Senator Ben Sasse (R-NE) remarked, “If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors.” We expect that addressing vulnerabilities in critical infrastructure will take on heightened significance as negotiations continue on passing an infrastructure bill.
Renewed Calls for Mandatory Cybersecurity Standards
Unlike utilities in the electric industry, pipelines follow voluntary guidelines and standards issued by the US Transportation Security Administration (TSA) and industry trade groups. Regulatory requirements alone cannot eliminate cyberrisks, but the absence of enforceable standards in the pipeline industry continues to receive criticism by lawmakers and other stakeholders. The TSA’s voluntary guidelines, for example, have been criticized as insufficient by the Government Accountability Office.
And, shortly after the recent ransomware attack, FERC Chairman Richard Glick and Commissioner Allison Clements issued a statement pushing for “mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector [i.e., the NERC CIP Standards].” The FERC Commissioners further remarked that “[s]imply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.”
Risks of IT and OT Network Interdependencies
Even though the recent ransomware attack reportedly affected the entity’s corporate network only, the entity opted to shut down its operational network—ceasing pipeline operations—as a precautionary measure. The move prompted industry commentary on the importance of shielding operations technology (OT) networks from threats to information technology (IT) networks.
Legacy utility infrastructure is often purpose-built to reliably handle a limited number of discrete tasks. Many of those components can be decades old and, to the extent they are networked at all, typically exist on standalone OT networks. As utilities steadily embrace the digitization of certain operational components, interdependencies can form between the entity’s IT and OT networks. This so-called “IT/OT convergence” offers many benefits but can increase cybersecurity risk by introducing additional attack vectors that routinely target IT systems via easily deployable exploits, such as ransomware.
Commercial Considerations
Shutting down critical infrastructure operations in response to a cyberattack causes direct and indirect commercial effects. A critical infrastructure owner unable to operate its systems may suffer lost profits and costly internal remediation and restoration efforts. The event also may bring unwanted media attention or increased scrutiny by state and federal regulators. Cyberattacks also can have indirect effects on third parties, such as commodity end users and adjacent industries (e.g., transportation).
The recent events are a reminder to critical infrastructure owners of the importance of being proactive by assessing contract and third-party liability risks resulting from service disruptions caused by cyberattacks and the legal tools available to help limit those impacts. From a security perspective, critical infrastructure owners should also stay current on widely accepted cybersecurity and management practices, such as those outlined in the NIST Cybersecurity Framework, and consider lessons learned from the electric sector, which is subject to mandatory requirements under the NERC CIP Standards.
We expect a continued focus on pipeline cybersecurity, and infrastructure protection more generally, by lawmakers, federal regulators, and state governments in the days ahead. We will continue to monitor these issues and provide additional information as developments occur.