Cyberattacks and similar threats to energy infrastructure can create significant economic and public safety risks, as demonstrated by recent attacks targeting both small and large energy providers.
In May 2021, the Colonial Pipeline Company was hit by a major ransomware attack that affected the pipeline’s digital systems; the hackers likely gained access through a compromised password. To prevent further spread of the malicious software, the company proactively shut down the pipeline, which runs from Texas to New York and supplies about half of the refined oil products for the East Coast. As the pipeline serves as a major energy conduit, the Biden administration deemed the attack a national security threat and declared an emergency. The same month, the Biden administration issued an executive order directing U.S. government agencies to take a series of proactive steps to bolster cybersecurity. The Transportation Security Administration has continued to take steps to improve the security of energy infrastructure, revising and reissuing cybersecurity requirements for oil and gas pipeline owners and operators in July 2022.
In November 2021, a Colorado utility serving about 35,000 customers was affected by a malicious cyberattack. The attack took many of its billing, processing, and other systems out of operation for more than a month, although there was no impact or disruption to their physical operations or service delivery. The breach highlights that malicious actors are targeting a range of energy infrastructure. Smaller utilities and infrastructure operators with limited resources to mitigate and recover quickly from attacks may benefit from state support and guidance to implement cybersecurity best practices.
The threat of government-sponsored cyberattacks on utility infrastructure has also become more apparent. The Federal Bureau of Investigation and U.S. Department of Homeland Security warned in February 2022 that the war in Ukraine could lead to attempted Russian attacks on U.S. critical infrastructure networks, including energy infrastructure. Russia exhibited this capability in late 2015 when they executed a coordinated, synchronized cyberattack that infected Ukrainian power companies’ systems with malware that caused power outages to over 200,000 customers across the country.
There is also the ongoing threat of supply chain compromise. In 2019 and 2020, the SolarWinds breach allowed hackers to gain access to the networks and systems of SolarWinds’ customers, which include various federal government agencies. The attack perpetrated by the Russian Foreign Intelligence Service raised U.S. policymakers’ awareness of the impact a comparable breach could have on America’s critical infrastructure. The federal government responded in December 2020 with an emergency mitigation directive for federal agencies whose software had been compromised and activated a coordination group within the executive branch.
State legislatures have taken major action to bolster the cybersecurity of their energy infrastructure amid new and increasing threats. Some measures have sought to increase energy cybersecurity investments from the public and private sector, including through PUC incentives and programs to leverage state and federal grants along with local funding. Several states are taking steps to create or expand state agency authorities to better deal with cyber threats. This could mean the creation of a new cybersecurity agency, or the expansion of existing authorities—namely disaster powers—to include cyber threats.
Strengthening Protections and Penalties for Cyber Offenses
Alaska HB 3 (enacted, 2022) includes cyberattacks as well as a credible or imminent threat of a cyberattack in the state’s definition of disaster. This could help state authorities respond quickly to threats as they arise by allowing the governor to fully activate the state’s emergency response options and opening up state funding for repairs and emergency protective measures.
Illinois HB 3523 (enacted, 2021) included cyberattacks in the state’s definition of “disaster,” opening up disaster funding for responding to cyber threats.
Iowa HB 2461 (failed, 2022) would have defined the crime of ransomware and explicitly prohibited attempts to interrupt or impair the functioning of electricity and natural gas systems.
Maryland HB 1339 (failed, 2022) would have created a Critical Infrastructure Cybersecurity Grant Program to leverage funds from federal, state, and local grant programs for critical infrastructure cybersecurity improvements, and tasked the Department of Emergency Management with identifying funding. It also would have required certain cybersecurity practices and the development of regulations to protect the public from cyber threats.
Tennessee SB 2282 (enacted, 2022) requires utilities, including co-ops and municipally-owned utilities, to prepare and implement a cyber security plan to protect their facilities and related electronic data, and requires plans to be updated every two years to address new threats.
Texas SB 2116 (enacted, 2021) prohibits the state from contracting with certain foreign-owned companies for critical infrastructure projects—e.g. communication infrastructure, cybersecurity systems, electric grid projects, hazardous waste treatment systems, or water treatment facilities—in part due to cybersecurity concerns.
Washington HB 2044 (failed, 2022) would have expanded the state’s ransomware protection measures.
Creating New Government Cybersecurity Agencies and Authorities
Colorado HB 1236 (enacted, 2021) augments the membership of the cybersecurity council and updates the state’s cyber operations center to better support state and federal information sharing following recent cyberattacks on both energy and transportation infrastructure in Colorado.
Indiana HB 1274 (failed, 2022) would have created a Volunteer Cyber Civilian Corps with experts that could help the Office of Technology with rapid response to cyberattacks.
Massachusetts SB 2088 (pending, 2021) would establish a cybersecurity control and review commission that includes one member with expertise in utility cybersecurity. Among other duties, the commission is tasked with developing utility sector-specific cybersecurity recommendations.
Texas HB 4196 (failed, 2021) would have required the PUC to develop and provide guidance on cybersecurity practices, and HB 4397 (failed, 2021) would have required additional monitoring around cybersecurity preparedness and implementation of training and best practices by utilities in the ERCOT power region.
Utah HB 280 (enacted, 2022) creates a new Cybersecurity Commission to identify and inform the governor of cyber threats and vulnerabilities towards Utah’s critical infrastructure, and analyze current cyber incident response capabilities and consequences in the event of a cyberattack.
States are focused on how to protect their energy infrastructure through data and information sharing between the private sector and government agencies responsible for threat prevention and response. Four states enacted new laws between 2021 and 2022 that require utilities to report on cyberattacks. One state has pursued a different approach, with policies that shield certain information about cybersecurity plans and threat responses from public disclosure to protect the security of public agencies, facilities, and related cybersecurity procedures and practices.
Kansas HB 2292 (failed, 2021), would have expressly exempted public agencies from disclosure and open records requirements as they relate to certain cybersecurity plans and information. These measures can help ensure oversight of cybersecurity and related threats, while keeping sensitive details about agencies’ cybersecurity practices private.
New York AB 3904 (passed, 2022) would allow the state Public Service Commission to audit gas and electric corporations to ensure adequate cybersecurity protections and procedures.
North Dakota SB 2313 (enacted, 2022) requires the North Dakota Transmission Authority to issue an annual report to the legislative council and the industrial commission on the resilience of the grid in the face of a range of challenges, including cyberattacks. It also requires electric utilities to report to state regulators annually on their cybersecurity measures and emerging threats.
Texas SB 3 (enacted, 2021) and Georgia HB 156 (enacted, 2021) both require reporting and information-sharing from utilities to the PUC related to power outages and cyberattacks, as well as require the PUC to provide certain information to other state agencies. Georgia further requires sharing information with state and federal law enforcement.