Ransomware: Fulfilling new federal compliance obligations and assessing preparedness to thwart or respond to attacks

These articles appear in the June 2021 issue of The PIOGA Press.

By Shawn Morgan and Joseph Carpini
Steptoe & Johnson PLLC

The Colonial Pipeline is the largest fuel pipeline system in the United States. The Georgia-based company, owned and operated by Colonial Pipeline Company, transports about 45 percent of all fuel consumed on the East Coast, shipping gasoline, diesel fuel, jet fuel and other refined petroleum products from the Gulf Coast of Texas along 5,500 miles to northern New Jersey. On May 7, Colonial Pipeline suffered a massive ransomware attack. Ransomware attacks encrypt computer systems and seek to extract payments from the system operators in exchange for a key to regain access to the sensitive data. DarkSide, a hacker group believed to have roots in Eastern Europe, is thought to be the culprit.

On the morning of May 7, a Colonial Pipeline employee found a ransom note from the hackers on a control-room computer. The company’s CEO, Joseph Blount, later confirmed that Colonial elected to make a $4.4 million ransom payment because executives were uncertain how badly its systems had been breached and how long it might take to restore operations. Due to the immense potential impact of an extended shutdown of the transport of so much fuel to the East Coast, the company believed it was necessary to restore operations as soon as possible; however, despite making the ransom payment, the decryption tool provided by the hackers proved insufficient to immediately restore operations, and the pipeline was shut down for six days.

Although the federal government is not often involved in responding to private sector cyber-attacks, the Cybersecurity and Infrastructure Security Agency (CISA) quickly sought information from Colonial Pipeline about the attack, due to its widespread impact, in an attempt to learn how the attack had occurred and to take steps to ensure hackers could not repeat the attack in the future.

Colonial Pipeline elected to share information with CISA, as well as the FBI and the U.S. Department of Energy; however, in the weeks since the attack, other federal agencies have acted to mandate information sharing under certain circumstances. Businesses must be mindful of how these new compliance obligations may impact their work.

United States’ response

Executive Order 14028. Largely in response to this attack, as well as the recent cyber-attacks on SolarWinds and Microsoft Exchange, President Biden issued Executive Order 14028 on May 12, with the broad goal of improving cybersecurity defenses. The executive order calls for updated contract language for IT service providers contracting with the federal government, in order to remove contractual barriers preventing those service providers from sharing information with the government. The order also requires those providers to share breach information that could impact government networks. By updating the federal government’s cybersecurity standards and establishing baseline security standards for development of software sold to the government, the Biden administration hopes for a trickle-down effect to improve private sector security standards and to enhance businesses’ security performance.

Specifically, the executive order creates a “standardized playbook” for cyber incident response by federal departments and agencies, increases efforts to detect malicious cyber activity on federal networks, and establishes a Cybersecurity Safety Review Board. The Cybersecurity Safety Review Board is to be co-chaired by government and private sector leads and may convene to analyze significant cyber incidents and recommend steps to prevent repeat incidents, similar to the way the National Transportation Safety Board issues reports after airplane crashes. Federal legislation also has been introduced in a further effort to prevent future ransomware attacks on the country’s energy infrastructure.

FERC. Even before the Executive Order was finalized, the Federal Energy Regulatory Commission (FERC) issued a statement on May 10, urging renewed action to secure and safeguard the nation’s energy infrastructure. Chairman Richard Glick noted that although FERC “has established and enforced mandatory cybersecurity standards for the bulk electric system” for over 10 years,

there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States. It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.

It appears that these comments by FERC’s chair spurred the Transportation Security Administration (TSA) to enact new mandates for critical pipeline and natural gas facility owners and operators.

TSA. On May 28, the TSA issued a directive, effective until May 28, 2022, pursuant to its authority under 49 U.S.C. 114(d), (f), (l) and (m). The directive requires critical pipeline and natural gas facility owners and operators to take three steps. First, they must report cybersecurity incidents to CISA within 12 hours of identifying the incident. Second, owners and operators must designate a cybersecurity coordinator who is required to be available to TSA and CISA at all times to coordinate cybersecurity practices and address any incidents that arise. Finally, those owners and operators are required to review their current activities against TSA’s pipeline cybersecurity recommendations to assess cyber risks, to identify gaps in their activities and develop remediation measures, and to report the assessment results to TSA and CISA. The directive indicates that TSA determines whether a pipeline or facility is “critical” based upon a number of factors, including volume of product transported, service to other critical sectors, etc., referring to section 1557(b) of the Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. 110-53 (121 Stat. 266; Aug. 3, 2007) (9/11 Act) (codified at 6 U.S.C. § 1207).

DOJ. On June 3, the United States Department of Justice (DOJ) sent internal guidance to U.S. Attorney’s offices throughout America, requiring investigators in those offices to share details of their investigations with federal authorities. DOJ will seek to elevate investigations regarding ransomware attacks to the same priority currently given to terrorism-related matters.

Important considerations for the private sector

Compliance obligations related to information sharing. As the federal government sharpens its focus on proactively combatting ransomware attacks, businesses must be vigilant in monitoring the evolution of directives, regulations and policies. Particularly, TSA’s edict imposes significant reporting obligations on critical pipeline and natural gas facility owners and operators. Likewise, Executive Order 14028 places similar responsibilities on IT service providers contracting with the federal government. Understanding these requirements―or seeking advice of counsel if it is unclear whether the directives apply―is key to ensuring compliance with the law. Compliance, in turn, improves preparedness.

Preparedness. Because ransomware attacks are a threat to all companies, large or small, in addition to following information sharing rules, when applicable, businesses can take discrete steps to prepare for the unfortunate possibility of being the subject of such an attack. First, businesses should plan how they will respond in the event they are targeted by ransomware. Conducting a tabletop exercise, in which essential staff gather to discuss a simulated attack, is a good way to assess preparedness. Discussions can include topics including, but not limited to:

―availability of backups to restore damaged computer networks,

―the time and expertise needed to install the backups and restart operations,

―whether the company is willing to pay a ransom instead to regain access to its systems,

―the maximum ransom it may be willing to pay,

―who is qualified to “negotiate” the ransom, and

―how to handle media inquiries and customer/investor communications.

Involving counsel and board representatives in the tabletop exercise also aids in getting the most robust plan in place.

In addition to the internal dialogue in planning how to respond to a ransomware attack, businesses also should assess the extent to which they would be willing to share ransomware attack information with the government, beyond what may be required by law. In the past, companies have been less willing to share private information of this type; however, as cyber-attacks become more sophisticated and inflict more economic and reputational damage, businesses may find that information sharing mitigates these negative consequences, and may even reduce the likelihood of possible attack.

Finally, when anticipating the possibility of a paralyzing ransomware incident, businesses should evaluate the sufficiency of the resources they have in place to remediate the breach. Considering the scope of the attack and the sheer size of the Colonial Pipeline system, the speed with which Colonial was able to restore operations suggests that it had effectively prepared and had significant resources in place to respond. When considering how to respond to a ransomware attack, businesses also should contemplate:

―applicable insurance coverages and limits,

―technical safeguards on computer networks and systems,

―third-party vendor security issues,

―the advance engagement of a cybersecurity vendor to help restore systems to full operations as quickly as possible, and

―what training employees might need now to minimize the possibility of falling prey to phishing schemes that can introduce ransomware.

Counsel can provide pre-incident guidance and can review insurance policies and third-party vendor agreements. In the event of an attack, the business should contact outside counsel immediately for assistance in investigating and remediating the situation.

Although cyber-attacks pose a real and significant risk, a company can best protect itself through advance planning, preparedness, and by engaging with experienced counsel.

Shawn A. Morgan (shawn.morgan@steptoe-johnson.com) leads the Cybersecurity Team at Steptoe & Johnson PLLC.

The Colonial Pipeline cyberattack: Now it is your turn to outrun the bear

By Steve Franckhauser and Joe Baran
Bertison-George, LLC

Immobilized by ransomware and bereft of an incident response and recovery plan (IRRP), the Colonial Pipeline people find themselves in a ghoulish situation. Either they pay an exorbitant ransom or perish. And if the ransom is paid, they face the onslaught of suits, claims and congressional oversight that almost always follows an avoidable, but public catastrophe.

It is too late to help them, but it is not too late to lay your data protection foundation and create your IRRP. As the old expression goes, you do not have to outrun the bear, you only must outrun the person next to you. Well, the person next to you is gone and the bear has you in its sights.

Who is the bear?

Who wants to do you harm? The sad answer is there are too many foes to count but set forth below are some usual suspects.

Your competition
Enemies of your industry
Disgruntled employees
Scorned vendors
Terrorists
Copycats
Contractual opportunists
Market speculators

All the excuses are gone, and surprise is an invalid and poor reason to ignore data protection, including data and cybersecurity. The lack of a single substantive law on data protection (at the federal level) has comforted some as most states lead with data protection for consumers while the self-regulating industries collectively hold their breath and hope, pray, and wish that catastrophe hits another business.

The energy sector is one of 13 separate and distinct sectors long ago identified as a prime target for data attack, cyber infiltration and conflagration. The industry has focused heavily on remote/digital monitoring and has in many cases far exceeded efficiency and cost reduction expectations. Those gains have created multiple system access points. Nearly all system operators (power grid, pipelines, generators, production wells, etc.) have several digital touch points. All of these advancements have risks associated with them. As with all risks, companies need to develop and/or review their mitigation strategies.

As we long ago professed, an attack on your business is not a matter of IF it is a matter of WHEN.

Preparation mandates you formulate and/or enhance an IRRP.

Published in 2010 and amended in 2015, the US Department of Energy in conjunction with the Department of Homeland Security set forth the “Energy Sector Specific Plan” as an amendment to its National Infrastructure protection Plan.

In its preface, the plan states as follows:

…

The Energy Sector is sure to face new challenges in the future, and new opportunities and pathways will develop over time. Several areas are certain to require further efforts, including: the resilience of supply chains, interdependencies between the Energy Sector and other sectors, analyzing the Energy Sector as a system, preparation for high impact but low probability events, development, and implementation of meaningful metrics to assess sector progress, as well as the challenge of ensuring cybersecurity. The sector will also face continuing challenges from both natural and manmade events, both foreign and domestic. (Emphasis supplied).

…

Defending against data theft, cyberattacks and proprietary sabotage requires a full appreciation of the following realities:

Your organization is a target.
No defense is impenetrable.
Vigilance is a requisite element to defending against threats.
Unless your organization has a response and recovery plan, you are doomed to fail.
Financial protections must be put in place to ensure continuity of commerce.

What must your organization do?

Because data protection is not a “one size fits all” endeavor, each process and IRRP must be tailored to your business.

Identify your business goals and data profile.
Identify your organizational assets, systems, and networks.
Assess your relative business risks and insurability.
Prioritize your infrastructure based on your unique energy industry profile and position.
Develop and implement protective programs and resilience strategies.
Measure your program’s effectiveness and weaknesses.
Ascertain R&D necessities and create data protection plans commensurate with same
Determine, manage and coordinate SSA activities.

Finally, ponder these facts and decide if addressing this issue is worth your time:

Colonial Pipeline has an IT team in place, yet they got hit with ransomware.
In Q3 of 2019, the average ransom payment increased by 13 percent to $41,198 compared to $36,295 in Q2 of 2019.
Business downtime average costs for SMBs in 2019 comes out at $141,000.
Contractual force majeure clauses do not include ransomware attacks.
You have spent a lifetime building a business reputation.

>> Return to the Latest News and Blog index page >>

Want to continue to get all the insider oil and gas news? Become a PIOGA member and you’ll get access to The PIOGA Press monthly newsletter, the PIOGA eWeekly e-newsletter and many other member benefits. Click here to learn more and join today!