cars lined up for gas fuel shortage colonial pipeline

Motorists line up to get gasoline in Fayetteville, N.C., in mid-May after a ransomware attack caused Colonial Pipeline to shut down its system, resulting in fuel shortages on parts of the East Coast. (Sean Rayford/Getty Images)

Lessons From the Colonial Pipeline Attack: Heading Off Cyberthreats

By Daniel Shea | Oct. 26, 2021 | State Legislatures News | Print

The country got a vivid reminder of its reliance on energy when the Colonial Pipeline Co. suffered a ransomware cyberattack in May. In response, Colonial Pipeline proactively shut down its extensive pipeline system, leaving much of the East Coast reeling from the drop in fuel supplies.

Puesh Kumar is the acting principal deputy assistant secretary at the U.S. Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response, or CESER (pronounced “Caesar”). The office, which plays a critical role in discovering and mitigating cyberthreats and orchestrating response efforts when disruptions occur, stepped in to assist Colonial with its recovery. “It’s important to build these partnerships during blue-sky days, so that when an incident does occur, you can quickly work together to mitigate any impacts,” he says.

We need to implement a coordinated cybersecurity strategy while thinking about how to also protect from sophisticated future threats. —Puesh Kumar, Office of Cybersecurity, Energy Security and Emergency Response

Kumar, who began his career as an engineer focused on designing energy systems, was drawn to security with the arrival of the smart grid concept—digitizing the grid to improve reliability, safety and efficiency. “We started to think more about how this transformation could potentially expose us to cyberattacks,” he says.

He views the current drive for clean energy with both a sense of urgency and a recognition that it represents a strategic opportunity to ensure that cybersecurity is built in as a core component of new technologies, rather than an afterthought.

“We need to implement a coordinated cybersecurity strategy while thinking about how to also protect from sophisticated future threats,” he says.

Kumar talked with NCSL about an array of challenges on the cybersecurity front and the role states can play in combatting them.


Why is the energy sector such an important target for cyberattacks?

Energy is essential to our daily lives. It powers our national and economic security, and we could not operate our homes and businesses without it. Of course, our adversaries recognize that the energy sector is critical and that every other sector in the United States relies on it, whether it’s hospitals or water, transportation or communications.

From a cybersecurity perspective, we’ve been focused on IT systems. And this is still critical. But there’s potential for even more severe consequences from a cyberattack on operational technology or “OT” networks. These are the control systems that physically operate energy infrastructure and, if breached, could result in a physical, real-world impact, such as a power outage. Over time, we’ve seen OT and IT systems gradually converge. While their increasing connectivity has enhanced reliability, increased visibility and lowered costs, it has also elevated their susceptibility to potential cyberattacks.

What lessons did you learn from the Colonial Pipeline incident?

In the case of Colonial Pipeline, a ransomware attack came in through the traditional IT environment. Colonial shut down its pipeline system out of an abundance of caution to protect its OT network while it responded to the incident.

We worked very closely with Colonial throughout the entire response, which speaks to the trusted relationship that DOE has built with the company. We were on daily calls with them, the affected states and our interagency partners such as the Cybersecurity and Infrastructure Security Agency, the FBI, TSA and others, to ensure Colonial could bring the pipeline back up efficiently and effectively.

The incident highlighted the criticality of these partnerships. It was also a reminder for all of us on the importance of planning: For states, we’d encourage them to develop and maintain comprehensive state energy security plans and operational incident response procedures.

How does CESER help ensure coordination between these various stakeholders?

No.1, it’s the partnerships. We partner with electricity and the oil and natural gas sectors, as well as state, local, tribal and territorial governments. We work with legislators, governors’ advisors, state energy offices, public utility commissioners and state organizations like NCSL. Along with these partnerships, we’re really focused on helping communities understand risk. When you understand risks—whether they’re manmade or natural—you can start planning around them.

Second is mitigating risk through the development of tools and technologies. We have invested over $240 million in cybersecurity research, development and demonstration projects focused on improving cyberthreat information sharing and detection.

In July 2021, President Biden announced an Industrial Control Systems Cybersecurity Initiative for the critical infrastructure community. The initiative, spearheaded by DOE, DHS and the electricity sector, aims to improve visibility, detection and response capabilities into critical energy infrastructure networks across the nation. More than 150 electric utilities—serving over 90 million Americans—have already joined this voluntary initiative. We’re excited about this progress and the Biden administration’s announced expansion into another energy subsector: natural gas pipelines.

What actions would you say state legislators should be considering to enhance energy sector cybersecurity?

First off, I just want to say that state legislators play a big role in energy sector cybersecurity. A good first step is ensuring that threat information is flowing. We know that sharing threat information across state agencies and with the private sector can be difficult, and each state may have its own process—but having a process in place is crucial. Legislators can consider developing mechanisms that promote cybersecurity threat intelligence sharing related to critical energy infrastructure. The goal is to have a well-defined, repeatable and trusted process, ensuring the right information is getting to the right people within the state through entities like the state fusion center.

Another potential action we’d point to is regular engagement between local and state government energy and emergency response officials along with energy sector owners and operators. Discussions should include ways to collectively address cybersecurity in the energy sector: the policies or programs that might help companies improve their cybersecurity measures, and how industry and government can work together to ensure energy companies are considering cybersecurity as part of their risk management portfolio. DOE has tools like the Cybersecurity Capability Maturity Model that can assist owners and operators with this conversation.

Lastly, empowering public utility commissions to be proactive to requests for new recovery mechanisms, as cybersecurity protections require investment in hardware, software and personnel.

One of the more common pieces of legislation that we’ve seen is making sensitive information exempt from FOIA requests. Are there other state bills or legislative actions that you’d like to highlight?

There are lots of great examples of states expanding open records exemptions to include cyber vulnerabilities as well as authorizing governors and state agencies to take certain actions to prepare for and respond to cyber emergencies. I’ll highlight two recent ones.

Georgia passed a bill earlier this year that includes measures to facilitate information sharing and reporting of cyber incidents. State legislators should definitely be exploring ways to facilitate information sharing, not only on a day-to-day basis, but also during an incident. This bolsters states’ and the federal government’s ability to mobilize response resources.

I know the Texas Legislature also passed a law requiring its public utility commission to initiate a cybersecurity monitoring program to manage the state’s cyber-preparedness program in the electric sector. The law also enables Texas utilities to recover the costs of cybersecurity activities required under the law, as it explicitly authorizes state utility commissioners to approve such investments.

We always encourage states to reach out to DOE to discuss these kinds of approaches. DOE, CESER and NCSL can work with you to figure out what works best for your state.

DOE maintains close relationships with energy and emergency response officials in state, local, tribal and territorial government. For more information, please visit CESER’s website.

CESER-Sponsored Resources for Lawmakers

This interview has been edited for length and clarity.

Daniel Shea is a program principal in NCSL’s Energy, Environment and Transportation Program.

Additional Resources