This story was updated at 9:59 a.m. EDT.
When Colonial Pipeline Co.’s computer files were kidnapped by ransomware attackers last week, the company called the FBI for help.
It did not call the top cyber agency at the Department of Homeland Security.
Brandon Wales, acting director of the DHS Cybersecurity and Infrastructure Security Agency, told a Senate committee Wednesday that it learned about the attack from the FBI, not Colonial, which shut down the nation’s largest fuel pipeline network last Friday in response to the hack.
The roundabout path of critical information about the cyberattack has raised new questions about the ability of the federal government — and another DHS office, the Transportation Security Administration, in particular — to effectively oversee the cyberdefenses of the roughly 2.7 million miles of U.S. pipeline networks. Many of those lines supply just-in-time natural gas to generate 40% of the nation’s electricity, raising the specter of blackouts from a major cyber disruption, experts warn.
High-voltage electric grids face mandatory cybersecurity rules set by the Federal Energy Regulatory Commission. But TSA, the lead federal agency for pipeline security, has elected to rely on collaborative reviews of companies’ cyberdefenses based on its voluntary Pipeline Security Guidelines checklist. The agency recommends — but does not require — companies to notify TSA "as soon as possible" of any attacks.
TSA had not responded to requests about Colonial’s notification actions as of yesterday evening.
But Colonial’s weeklong shutdown, affecting delivery of nearly half the East Coast’s fuel supplies, has revived a debate over whether essential natural gas supplies should have purely voluntary cybersecurity standards.
"It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector," FERC Chairman Richard Glick (D) said this week.
"It’s clear that voluntary standards are not going to be adequate against an emerging threat," said Paul Stockton, former assistant secretary of Defense for homeland defense.
"Mandatory standards are not a panacea. They are slow to develop," added Stockton, who now runs a Santa Fe, N.M.-based strategic consulting firm. "But they provide a floor that all system operators need to meet. Then they can go above that. And they should."
Ever since the issue of stronger federal oversight of energy pipelines was raised by the Obama administration’s Energy Department in its last weeks in office, the oil and gas industry has successfully pushed back against the mandatory, enforceable rule structures that govern high-voltage grid networks or U.S. nuclear reactors.
"We’re not anti-regulation, but it needs to be smart, flexible and adaptive," said Suzanne Lemieux, manager of operations security and emergency response policy for the American Petroleum Institute.
API said it is updating its cybersecurity standards, which should be released within the next few months.
"Any regulatory action right now is premature … because we’re still in the event," she said. "We really need to know the details of what happened."
Kimberly Denbow, the American Gas Association’s managing director for security and operations, said in a statement, "TSA Pipeline Security Guidelines act as a floor, whereas mandates provide a ceiling. No regulation is faster than our adversaries’ ability to circumvent it. As soon as a mandatory compliance scheme is developed, it’s obsolete."
Pipeline systems are unique, and regulations cannot effectively deal with the differences, Denbow said. Flexible guidelines are better, she added.
A costly attack
Late Wednesday night, Colonial did provide DHS with some evidence of the hackers’ attack scheme, Wales said, but that "doesn’t tell the complete story yet."
"We are working with the FBI to get that information out today in a more broad way," Wales said at a George Washington University event yesterday.
The "indicators of compromise" found in Colonial’s system are important, Wales said, because another potential victim could have ransomware on its networks that’s not been activated.
"Even a couple of days’ delay can be the difference between other entities having the ransomware activated on their networks and not," Wales added.
Colonial has not yet publicly explained why a ransomware attack attributed to an Eastern European criminal group posed such a threat to pipeline operations that the system had to be shut down. The hackers evidently planned to lock up computer records on the pipeline’s business side until Colonial paid a ransom. Bloomberg first reported that Colonial paid the hackers nearly $5 million in hard-to-trace digital currency within hours of discovering the attack.
As Colonial struggled to restore its information technology networks, news of the cyberattack spooked some motorists into panic buying at filling stations (Energywire, May 13).
Colonial has restarted the "entire pipeline system" and is again delivering products, though the Georgia-based company said yesterday it would take "several days" until the system is back to normal.
But the worst-case consequences of the loss of a major natural gas pipeline for a week would be in a horror story appendix for the energy sector.
The Texas energy crisis in February killed 111 people by official count, cut off power to 4 million people at its peak, forced evacuations and left behind billions of dollars in property damage. It was in significant part due to the freeze-up of gas delivery systems that were not prepared for a record cold wave.
The Electric Reliability Council of Texas, the state’s main grid operator, said the system was within seconds of a "catastrophic" uncontrolled blackout when it imposed directed, emergency shutdowns at the outset of the crisis (Energywire, Feb. 19).
The New England grid was stretched to its limit during severe winter storms three years ago, as much of the available natural gas supply was allocated for heating buildings, leaving too little for electricity generators. The region has power plants that can run on fuel oil if gas isn’t available, and that saved the day, Gordon van Welie, head of the region’s grid manager, ISO New England Inc., told Congress (Energywire, Jan. 24, 2018). But generators’ oil inventories were scraping bottom, and if a new ice storm had struck, blocking truck deliveries of new fuel, a crisis could have followed.
‘Competency gaps’
E&E News first reported on TSA’s limited cybersecurity review capabilities four years ago, and a series of congressionally directed critiques by the nonpartisan Government Accountability Office have identified critical weaknesses (Energywire, May 23, 2017).
As cybersecurity threats against pipelines and other energy systems were climbing, the staff of TSA’s Pipeline Security Branch fell from 14 positions in fiscal 2012 and 2013 to one in 2014, then back up to six. It had set no job requirements for cybersecurity expertise of the staff, GAO said.
TSA reported in a statement this week that its pipeline security staffing has been expanded from six positions to 34 total time positions, including headquarters operations, policy specialists and roles in the field.
A TSA spokesperson told E&E News last year that it conducts about 20 security reviews a year from among the 100 biggest U.S. pipeline systems. The reviews "include a comprehensive look at their cybersecurity measures, programs and policies," following the guidelines. It performs more than 60 critical facility security reviews annually of the most vital pipeline sites to verify protective measures are in place for key cyber assets.
As of yesterday evening, TSA had not responded to an E&E News request for information about reviews of the Colonial pipeline system or how TSA responds when a pipeline’s performance falls below the guideline’s goals.
Leslie Gordon, acting director of GAO’s Homeland Security and Justice staff, said GAO is looking closely at TSA’s performance but has not scheduled a new update. "It’s not just hiring a bunch of people and the problem’s solved — it’s about closing competency gaps," Gordon said. "We’re still waiting on evidence that has occurred."
Gordon and GAO Assistant Director Ben Atwater told E&E News that TSA is working on a new risk management tool for ranking the most critical pipeline systems by weighing data on prior attacks, natural hazards, performance metrics, pipelines’ physical conditions and interdependencies with other energy networks.
TSA told GAO in March that it had met with Federal Emergency Management Agency officials in early 2019 and with Rand Consulting LLC in March 2020 to discuss ways to create the ranking tool. TSA said this year it was still "in the midst" of competing the project with no end date scheduled yet, Gordon and Atwater said in a joint interview.
Eighth grade-level security
A jarring criticism of Colonial’s cybersecurity posture came this week from Robert Smallwood, a California-based partner in Madison, Wis.-based IT consulting group iMERGE Consulting. He described his work for Colonial 3 ½ years ago doing an audit of the pipeline’s information management practices.
"I mean, an eighth grader could have hacked into that system," he told the Associated Press, which first reported about the audit.
Colonial pipeline has "significant challenges in governing information," the January 2018 report begins, Smallwood told E&E News. It goes on to cite "an unacceptable level of information risk," among other findings, he said.
"The whole incident probably could have been avoided by doing the work that needed to be done, like hiring a chief information security officer and investing in software to inventory their information assets, finding out which information is most sensitive and locking them down with encryption," Smallwood said.
He said his team spent six months on the Colonial audit. "We had a lot of in-depth interviews," he said. "I never heard TSA mentioned once."
In a statement, Colonial said that iMERGE "conducted a records management and information governance assessment in 2017, which was initiated by our compliance department."
"We cannot speculate on Mr. Smallwood’s motives for discussing confidential work he was paid to do, but we can say that IMERGE was not engaged after presenting its findings and does not have any knowledge of what work was completed after the initial review," Colonial said. "The assessment methodology consisted of surveys, on-site presentations and group interviews — and importantly — did not involve any type of cybersecurity technical testing nor a comprehensive cybersecurity risk assessment."
The assessment was for "current records management and information governance practices, and to propose a roadmap for developing an information governance program including improving the existing records management program," Colonial said, quoting from the executive summary of the report’s purpose.
It’s a false dilemma to frame the debate over cyber rules for pipelines as a choice between solely mandatory rules versus purely collaborative cooperation, said security consultant Tom Alrich, who is a co-leader of an energy panel at the Commerce Department’s National Telecommunications and Information Administration.
"There should be standards. They should be mandatory. But they should be risk-based and nonprescriptive," allowing regulators and companies to prioritize attention on the most critical parts of a system. "Otherwise, there’s no limit" on cost and little confidence in the defense, Alrich said.
The TSA voluntary guidelines have "no meat" and "no real enforcement," said Tony Turner, vice president of security solutions at cybersecurity firm Fortress Information Security.
"There’s nothing like the million-dollar-a-day fine that an electric utility gets hit with" if serious violations are found, Turner said.
"Anything would be better than nothing right now. We pretty much have nothing. We have TSA guidelines," Turner said.
