The complexity and velocity of cyberattacks, coupled with the volume of vulnerabilities exploited by increasingly sophisticated bad actors, make managing and mitigating cybersecurity risks for critical energy infrastructure a staggering challenge.
Speaking on a panel at the Energy Bar Association’s Mid-Year Energy Forum on Tuesday, Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center, said that approximately 10 years ago, the National Vulnerability Database had about 3,000 vulnerabilities “across a whole year.”
“We’re about 21,000 vulnerabilities projected in 2021, and keeping pace with that is just overwhelming,” Cancel said. “How the [energy] industry evolves to focus on priorities is going to be a challenge going forward, and we all know that unpatched vulnerabilities are a leading cause of breaches.”
One such breach was the ransomware attack on the Colonial Pipeline in May, which crippled 5,500 miles of pipeline that supplies the eastern U.S. with gasoline, diesel and other fuel products. It was an unforgettable day for David Gray, vice president and general counsel for the company. A ransom note appeared on a computer screen in the control room. Gray said the initial reaction was, “Are we sure this is a legitimate threat?”
“You quickly discover that one of the things that are most precious in an event like this is time,” Gray said.
In trying to assess whether the attack came from a state-sponsored or non-state entity, Gray said there was “enough uncertainty” to shut down the pipeline and “quickly pivot into notification” once it was determined it was a criminal act. Colonial called the FBI “almost immediately,” Gray said, and that helped with the recovery of the ransom it ultimately decided to pay.
Eric Meyers, vice president and chief information security officer for the New York Power Authority, said he has been in the cybersecurity industry long enough to remember when the worst threats were people sending chain emails and infected floppy disks. Now, it is phishing emails and inserting malicious code into websites by state and non-state actors alike.
“What used to be the unique domain of some of these well funded state-sponsored actors who invested tremendous amounts of resources in developing those techniques are now out there for anyone to get access to on the web, and even more so, some enterprising entrepreneurs have taken those capabilities and wrapped them up into for-profit services,” Meyers said. “Then anybody with very little technical skill can go out there on the dark web, sign up for and launch an attack on anybody. That’s acting like a true force multiplier, drastically expanding the scope.”
During a keynote speech that preceded the panel, Dan Sutherland, chief counsel for the federal Cybersecurity and Infrastructure Agency (CISA), said that the Colonial attack “sparked” conversation inside and outside the government centered on incident reporting. According to Sutherland, there is legislation under consideration on Capitol Hill that would mandate incident reporting to CISA. He said that is a “direct result” of the Colonial Pipeline incident as Congress felt that it was not reported in a “timely” manner.
The Transportation Security Administration also issued two security directives for owners and operators of critical pipelines in the aftermath of Colonial, which is the first time they have “really exercised their muscles in terms of regulating the pipeline industry,” added Sutherland.
TSA required owners and operators to “report confirmed and potential cybersecurity incidents” to CISA. They also needed to appoint a cybersecurity coordinator to serve as a single point of contact with federal officials 24/7, review their current cybersecurity practices, and report to TSA and CISA any cyber risks identified along with related mitigation measures. Additional requirements, developed alongside CISA, mandated implementing “specific mitigation measures” to protect against ransomware and other threats to information technology and operational technology systems; contingency and recovery plans; and a review of cybersecurity architecture design review. (See TSA Issues New Pipeline Cybersecurity Requirements.)
Cancel commended Colonial for its “transparency” and managing “an incredibly complex issue.” Still, there are a lot of “disruptive technologies” that require time to design their security, which should be done ahead of installation, not after it, he said.