The Transportation Security Administration, which has regulatory authority over pipeline cybersecurity, recently issued a directive that would require pipelines to quickly report attacks to a cybersecurity division of the Department of Homeland Security. The Biden administration also has ordered agencies to improve their efforts to detect attacks and to strengthen their partnerships with private industries, and several cybersecurity-related bills are moving through Congress.
Meanwhile, Joseph Blount, chief executive of Colonial Pipeline Co., the target of the May attack, has defended his decision to pay ransom of $4.4 million in cryptocurrency to the attack’s perpetrators, saying he needed every tool at his disposal to restore the 5,500-mile pipeline’s systems. The Federal Bureau of Investigation for years has advised companies not to pay when hit with ransomware, a type of code that takes computer systems hostage for payment, because it supports a booming criminal marketplace. The Justice Department said last month it recovered about $2.3 million worth of the cryptocurrency.
The attack on Colonial Pipeline showed the vulnerability of the nation’s vast energy infrastructure and has spurred debate over how the U.S. and the oil-and-gas industry can better protect critical infrastructure against assaults.
The Wall Street Journal spoke with three experts in oil-and-gas cybersecurity about how companies, regulators and policy makers can advance the security of the nation’s energy infrastructure. Jim Guinn is global managing director for cybersecurity in energy, chemicals, utilities and mining at Accenture Security. Suzanne Lemieux is manager for operations security and emergency-response policy for the energy trade group American Petroleum Institute. Chris Bronk is associate professor of computer information systems and information system security at the University of Houston. Here are edited excerpts of the conversation:
WSJ: How can companies and the government make the energy industry more resilient against cyberattacks?
MS. LEMIEUX: We need to have a better information-sharing process from government agencies to private companies. There’s a lot of intelligence coming through right now that just doesn’t make its way to private-sector operators who need it to make better defenses for their systems. We’ve seen a security directive from TSA that requires incident reporting. We want to make sure there’s a process in place on the government side to anonymize and share that information back with the sector so that we know what the current threats are. It takes months to declassify things. We need to really improve how they’re postured to share with the private sector.
MR. BRONK: There’s been a real mania about cyber intelligence, and a lot of emphasis on information sharing. But the fundamental issue is getting the intelligence community to move information around. Declassifying intelligence and rapidly kicking it out to entities that don’t have the capacity to process classified information is just impossible. It’s not going to get better. When the Ukraine power-grid hack happened in 2015, we waited months for Homeland Security to give us a finalized assessment, and it was essentially something that other smart people had put together long before.
If an industry wants to protect itself, it’s going to have to adopt an industrial-related set of activities. This has to be the kind of event that an organization prepares for regularly, that it drills on.
WSJ: For oil-and-gas pipelines, there’s no equivalent to the North American Electric Reliability Corp., or NERC, which regulates parts of the utilities sector’s cybersecurity and imposes fines on companies that do not meet certain standards. Should the U.S. government create a similar body to ensure oil and gas companies have minimum standards?
MS. LEMIEUX: The oil-and-gas industry is very different for many reasons from the electric sector. The utilities don’t have the antitrust issues and the competitive markets that we have in the oil-and-gas industry. There’s a very long supply chain in oil and gas, a lot of different company structures, from individual owner operators to integrated companies, and lots of complexity that we see as much more difficult to cover with one standard or one regulation. We would not want to see a monolithic approach to this, because it just wouldn’t work.
TSA does have regulatory authority to regulate pipeline cybersecurity. They have chosen in the past to do it through guidelines, which the industry worked on with them. We’re hearing that the TSA is going to issue a second directive, and that some of these directives will have fines if you’re found in violation. There’s a misconception that operators won’t take steps to protect against cyber threats unless they are mandated to by regulators. That overlooks the fact that companies across all industries have a business incentive to protect their data and operations from malicious actors.
MR. BRONK: The TSA directive is not a radical piece of regulation. It basically says, consult with the federal government. When you look at the grand struggle for having capacity to do cybersecurity in the federal government, TSA is just really far down the ladder. The question is whether it will create something that looks a lot like NERC’s critical-infrastructure-protection plan. That’s up to Transportation Secretary Pete Buttigieg, who is focused on infrastructure renewal. There aren’t teeth there. But with each of these incidents, the capacity for rule-making and regulation will increase.
The industry has had an incredible aversion to regulation. The oil-and-gas industry was born out of the breakup of Standard Oil. Government changed the industry radically and I think that probably left a deep mark on the culture of the companies that were the successors to Standard Oil.
MR. GUINN: There need to be standards that we adhere to, for the minimum security control. Everybody should have a baseline. If you achieve resilience beyond that, you should be incentivized for it, not penalized. If this turns into an audit exercise, you will be less successful.
WSJ: What else can U.S. agencies do to improve public policy on energy cybersecurity?
MR. GUINN: An integrated energy company can deal with wind, solar, oil and gas, refining, pipelines, trains and terminals. If you look at all of that, how many different agencies are you having to respond to if you have a material situation? The Department of Energy, Homeland Security, the Pipeline and Hazardous Materials Safety Administration, the Coast Guard. There are so many that there is confusion. Every dollar you spend on coordination across all those agencies is $1 you could have spent to become more cyber resilient. I would love to see there be just one entity that can help the energy industry.
WSJ: Why are ransomware attacks against the energy industry increasing?
MR. GUINN: Because many organizations are paying the ransoms. Our threat-intelligence team’s report on the energy industry, meaning everything outside of utilities, found that when you compare the full year 2020 to the first five months of 2021, there was a 42% increase in publicly known ransomware attacks against energy companies. It went from 19 last year to 27 from January to May.
We have energy moving from 10th-most-targeted industry last year to No. 4 this year. Once an industry starts paying, attacks increase. In the year since the pandemic started, in March 2020, we saw eight out of 10 operational technology cybersecurity programs canceled, reduced or deferred. They know they have to have cyber resilience. But when commodity prices get so distressed, so fast, you have to make a business decision about what spending you could stop. That’s a perfect storm.
WSJ: What’s your stance on whether companies should or should not pay the ransoms?
MR. BRONK: Many of these ransoms are a rounding error for companies. It’s like that Austin Powers scene where Dr. Evil says “we’re going to hold the world ransom for $1 million,” and everyone is like, that’s not very much money. The ransomers are going where the payouts are. And these ransomers have gotten pretty businesslike. The outcome of paying the ransom and getting the keys to unlock your stuff has gotten a lot better. But still, every ransom that gets paid is legitimizing this illegal business activity.
MR. GUINN: When you’re dealing with critical infrastructure, every business needs to make the determination if they would pay. When you ask energy companies, do you have a cyber incident response plan, the answer is usually yes. But do you have a strategy and business imperatives laid out for what will trigger you to pay? Most say no. You don’t want to be faced with that decision in the throes of an actual event. You need to tabletop it. You need to exercise it. You need to debate it internally. You need to be able to figure out what your protocols would be to determine whether you would or would not pay.