In the wake of the ransomware attack Friday on Colonial Pipeline that shut off almost half the supply of gasoline, diesel and other fuel products for the eastern U.S., FERC Chairman Richard Glick and Commissioner Allison Clements on Monday called for “mandatory cybersecurity standards,” similar to NERC’s Critical Infrastructure Protection (CIP) standards, to cover the nation’s 3 million miles of natural gas, oil and hazardous liquid pipelines.

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever increasing number and sophistication of malevolent cyber actors,” Glick and Clements said in a statement. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

Service Restoration Underway

Colonial said on Monday that it has begun restoring the 5,500 miles of pipelines that it shut down on Friday to normal service “in a phased approach” with the goal of “substantially restoring” operations by the end of the week.

In a statement, Colonial — which claims to transport more than 100 million gallons of petroleum products daily, supplying about 45% of all fuel consumed on the U.S. East Coast — described its restoration plan as “an incremental process … based on a number of factors with safety and compliance driving our operational decisions.” All four of the company’s main lines have been offline since Friday, when Colonial shut down all of its pipeline operations as a means of containing the threat.

In response to the shutdown, the U.S. Department of Transportation issued a regional emergency declaration on Sunday covering 17 states and D.C., temporarily waiving overtime limits and sleep requirements for drivers transporting fuel between distributors and gas stations in Colonial’s footprint. The declaration will remain in effect through June 8 or the end of the emergency, whichever comes first.

European Criminals Linked to Attack

Also on Monday, the FBI officially linked the original ransomware attack with the cybercrime group DarkSide, believed to be based in Eastern Europe.

There is little public information about DarkSide. Cybersecurity firm Cybereason describes the group as “a relatively new player in the game of ransomware” that emerged last August and possesses a reputation for “professional and organized” operations with a help desk for negotiating with victims. It operates via a “ransomware-as-a-service” model, under which a core group develops and operates the ransomware while recruiting affiliates to hack into networks and deploy the app.

The group portrays itself as a Robin Hood of sorts: It claims to target only large and profitable companies; forbids its affiliates from attacking hospitals, schools and public sector organizations; and even promises to donate a portion of its ransom proceeds to charity. It also prohibits affiliates from targeting former Soviet republics.

DarkSide’s ransomware targets domain controllers — servers that authenticate users, store user account information and enforce security policies within a computer network domain. It works by collecting files, credentials and other sensitive information and sending them back to the user. It then encrypts the affected files and sends a message to the target demanding payment in order to release the encryption key and threatening to release the copied information if the payment is not made.

Traditional ransomware operations only include the encryption step, but this threat can be neutralized if the victim wipes its system and restores from a clean backup. DarkSide’s threat of publication means that companies may still face the release of sensitive information if they refuse to pay the ransom.

A press release on Monday, purportedly from the DarkSide group and cited by several media sites, claimed that the organization does not “participate in geopolitics” and is not involved with any government. The group said it does not want to create “problems for society” and pledged “from today” to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Pipeline Cybersecurity a Frequent Concern

The cybersecurity of North American pipelines has been an ongoing concern for federal officials. In 2018 the Government Accountability Office issued a report criticizing the Transportation Security Administration, which oversees the pipeline system, for failing to keep its risk assessment up to date or to focus on the most important skills in its workforce, including cybersecurity expertise. (See GAO Critical of TSA Pipeline Security Efforts.)

The following year, then-Chairman Neil Chatterjee joined then-Commissioner Glick in an op-ed calling on Congress to reassign responsibility for pipeline security from the TSA to a new agency. (See TSA Defends Pipeline Security Practices Before FERC.)

The U.S. Intelligence Community has also warned of vulnerabilities to pipelines from foreign actors, noting in 2019 that China is capable of launching cyberattacks that could disrupt a natural gas pipeline “for days to weeks.” (See Senators Call for Urgency on Energy Cybersecurity.)