The ransomware attack that crippled Colonial Pipeline’s network nearly two weeks ago was still fresh on the mind of FERC commissioners at their open meeting on Thursday, as they advocated various approaches to securing North America’s critical infrastructure in light of the latest reminder of its vulnerability.
Colonial, which claims to transport more than 100 million gallons of petroleum products daily, supplying about 45% of the gasoline, diesel and other fuels consumed on the U.S. East Coast, shut down its entire 5,500-mile pipeline network May 7 after it discovered the malicious software in its system. The FBI has attributed the attack to the cybercrime group DarkSide, believed to be based in Eastern Europe, possibly Russia. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.)
After rumors circulated for several days, Colonial CEO Joseph Blount confirmed to the Wall Street Journal on Wednesday that he had authorized paying the $4.4 million ransom that the attackers demanded in order to restore the system more quickly. Since their identification by law enforcement, DarkSide appears to have gone silent; U.S. officials have denied that the government had disrupted their operations in retaliation.
At Thursday’s meeting, Chairman Richard Glick echoed his joint statement with Commissioner Allison Clements last week that called for “mandatory cybersecurity standards” like NERC’s Critical Infrastructure Protection (CIP) standards for the nation’s 3 million miles of natural gas, oil and hazardous liquid pipelines.
“The events of the last couple of weeks offer an important reminder of what is at stake when critical infrastructure is compromised,” Glick said. “I believe the time has come for action. … [Pipeline cybersecurity] is a matter that not only impacts the reliability of our fuel systems, but given the interdependency of the gas and electric systems, a cyberattack on the gas lines can impact electric reliability.”
Clements joined Glick in his call for mandatory standards, pointing to the growing incidence of cyberattacks against critical infrastructure as a sign that this issue is too serious to be left to the private sector any longer. While new regulations will inevitably need fine-tuning down the road, she urged colleagues not to slip into complacency and to be open to new approaches.
“We’re certainly fortunate that the pipeline outage lasted only as long as it did, and that the company, together with support from the state and federal governments, were able to manage the fallout,” Clements said. “I disagree with the charges that mandatory standards cannot keep up with an evolving threat, or that industry can handle the challenge on a voluntary basis. … Mandatory standards provide a baseline, a floor. It isn’t the end of the story.”
Other commission members expressed varying levels of support for Glick and Clements’ ideas, with Commissioner Neil Chatterjee reminding attendees that there are multiple approaches available, including incentives for cybersecurity investments like those the commission has proposed for electric utilities. (See NERC Pushes Cybersecurity Incentives.) He emphasized the need to “stay nimble and continue to bolster our defenses.”
“I’ve long supported NERC and recognize the important role mandatory standards … play on the electric side,” Chatterjee added. “But at this time I think we, as a commission, need to focus on what we actually could do on this front in the near term, given our statutory authority over ratemaking for natural gas and product pipelines.”
Commissioner Mark Christie noted that whatever FERC decided on, other actors will be making their own moves. In particular, the U.S. government will feel bound to respond to the attackers, and most likely in ways that go far beyond the limited capabilities of FERC, he said.
The attack “was either an act of war, if it was done by a state actor, or it was an act of terrorism, if it was done by a non-state actor,” Christie said. “I’m not opposing your proposal on putting pipelines under regulations, but an act or war or an act of terrorism is going to require a much more aggressive response by our federal government than simply regulatory changes.”
