US Energy Secretary Jennifer Granholm made an astounding – but sadly not surprising – admission in early June 2021. When asked whether US adversaries have the capability of interrupting the electricity grid she simply answered, ‘Yes they do', adding ‘I think there are very malign actors who are trying. Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector, generally'.Footnote1
Granholm's words were astounding because the US government has known for years that cyberattacks on key infrastructure were going on. And yet they were not surprising because obviously not enough has been done to protect against such attacks.
Almost exactly three years ago, a journal editorial raised the matter of prioritising cybersecurity in the energy sector.Footnote2 As the editorial pointed out, ‘[T]he US electricity grid, which has been referred to as the “largest interconnected machine” in the world, consists of “more than 7,000 power plants, 55,000 substations, 160,000 miles of high-voltage transmission lines and millions of miles of low-voltage distribution lines”’.Footnote3 While it is true that the system has not yet suffered a catastrophic attack, Granholm’s words are hardly comforting.
Organisations around the world are also concerned about this issue. For example, in the World Economic Forum’s Global Risk Report 2020, cyberattacks on critical infrastructure including the energy system were rated the fifth top risk.Footnote4 And the International Energy Agency has said that for electricity systems in particular, ‘the threat of cyberattack is substantial and growing, and threat actors are becoming increasingly sophisticated at carrying out attacks – both in their destructive capabilities and their ability to identify vulnerabilities’.Footnote5
Moreover, earlier this year Reji Kumar Pillai, head of an Indian think tank that advises utilities, regulators and government on energy issues, said, ‘India’s power system is in urgent need of proper cybersecurity systems. Both the state and the central governments need to treat this with utmost urgency, without waiting for a disaster to happen’.Footnote6
The concern about cyberattacks on US energy infrastructure increased exponentially in early May with the announcement that a pipeline that supplies the US East Coast with almost half its jet fuel and gasoline had been shut off by a cyberattack. For several days operator Colonial Pipeline Company shuttered the entire system as a result of the ransomware effort.Footnote7 In describing the incident, Robert Campbell of the consultancy Energy Aspects said, ‘This is definitely not a schoolboy prank. This is a highly sophisticated attack on a piece of critical infrastructure’.Footnote8
As The New York Times reported, ‘The audacious ransom attack that shut down [the Colonial] fuel pipeline and sent Americans scrambling for gasoline in the Northeast … was not the first time hackers have disrupted America’s aging, vulnerable infrastructure. And it’s unlikely to be the last’.Footnote9 The Times went on to report, ‘Despite years of warnings, America’s vast network of pipelines, electric grids and power plants remains acutely vulnerable to cyberattacks with the potential to disrupt energy supplies for millions of people’.Footnote10 Furthermore, Chris Krebs, former director of the US Department of Homeland Security (DHS)’s Cybersecurity and Infrastructure Security Agency in the Trump administration, said, ‘If there was any remaining question as to whether cybercrime and ransomware in particular was a national security threat, I think that question resolved itself’ – referring to the Colonial pipeline shutdown.Footnote11
A few days after the attack, Colonial Pipeline paid a ransom of $4.4 million to restore its systems,Footnote12 and in early June the US Department of Justice seized about half of that payment.Footnote13 Nevertheless, the entire episode was a stark reminder of the vulnerability of the US energy system. In the wake of the cyberattack, President Joe Biden issued an executive order,Footnote14 on 12 May 2020, aimed at improving the nation’s cybersecurity.Footnote15 Among other things, the order calls for a Cybersecurity Safety Review Board, co-chaired by private sector and government leads, that may convene to analyse and make cybersecurity recommendations after a significant cyber incident; modernises and implements stronger cybersecurity standards for the federal government; and implements a more stringent software supply chain security system by establishing ‘baseline security standards for development of software sold to the government’.Footnote16
The cybersecurity executive order garnered ‘widespread praise’ from cybersecurity experts and lawmakers alike, ‘who have long called for massive overhauls to cybersecurity policy’.Footnote17 Ari Schwartz, a former cybersecurity official in the Obama White House and current cybersecurity services managing director at the Venable law firm, welcomed the order and said, ‘It is broad enough that it will also have some impact on protecting critical infrastructure and other organizations including improving software standards’.Footnote18 Meanwhile, Senator Mark Warner (Democrat-Virgina) provided a cautionary observation, saying,
[T]he United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage. This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities.Footnote19
The day after Biden signed the executive order, bipartisan legislation aimed at boosting US preparedness for businesses and local governments was introduced in the US Congress. The Cybersecurity and Infrastructure Security Agency Cyber Exercise Act, introduced by Congressman Mike Gallagher (Republican-Wisconsin) and Congresswoman Elissa Slotkin (Democrat-Mississippi), would create new ways for American businesses and government to test critical infrastructure against cyber threats as well as establish a National Cyber Exercise Program to test the US response plan for major incidents.Footnote20 Slotkin said the Colonial Pipeline event had ‘clearly shown that cybersecurity is no longer just a “tech” issue – it’s at the very heart of protecting the systems that power our daily lives as Americans’, adding, ‘This bill can be a step in ramping up [coordination between state and local governments and private businesses], ensuring that our government is preparing for the full range of cyber threats, and providing our communities and businesses the tools they need to be secure and resilient’.Footnote21
In late May the DHS followed up with a ‘first-of-a-kind’ cybersecurity directive for the pipeline industry.Footnote22 Pursuant to the directive, ‘critical pipeline owners and operators’ will be required ‘to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency … and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week’.Footnote23 In announcing the directive, US Secretary of Homeland Security Alejandro N Mayorkas said, ‘The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security’.Footnote24
The attack on the Colonial pipeline was hardly the first of its kind in terms of energy-related infrastructure. In 2020, a ransomware attack caused a natural gas compression installation to shut down for two days, and in 2018 an attack caused service disruptions for the operators of a number of natural gas pipelines.Footnote25 Even ‘bigger risks lurk’, The New York Times reported, referring to a 2016 attack that caused significant parts of the Ukrainian power grid to collapse in what is believed to be the ‘first international blackout triggered by a cyberattack’.Footnote26
Energy experts have said that US grid operators and electric utilities are ‘typically further ahead in preparing for cyberattacks than the oil and gas industry, in part because federal regulators have long required cybersecurity standards for the backbone of the nation’s power grid’.Footnote27 Nevertheless, because of the grid’s complexity, it may still be susceptible to an attack because of the sheer number of utilities that are part of the grid and their ‘varying’ procedures when it comes to cybersecurity.Footnote28
The calls for US companies managing critical systems to improve their cybersecurity procedures are not new, but the lack of success in many instances reflects the enormous impact of lobbying in Washington, DC. In 2012, Congressional efforts to mandate minimum cybersecurity standards for these companies failed ‘when lobbyists killed such an effort … arguing that the standards would be too expensive and too onerous for business’.Footnote29
Kristine Petrosyan, oil analyst for the International Energy Agency, has noted that the Colonial pipeline shutdown
underlines how digitalization and automation of energy systems are increasing the scope for cyberattacks. Policymakers, regulators and industry must address these potential hazards, which are set to grow as the shift to cleaner power is accompanied by an expansion of connective devices and digitalized smart networks.Footnote30
The importance of better preparation for cyberattacks has also been underscored by the chief executive officer of the Southern Company, one of the largest US energy providers. Thomas Fanning has said the country needs real-time centres to track cyber attacks. ‘A real-time view of that battlefield that allows Cyber Command to see my critical systems at the same moment and the same time I see them’, is what is needed, he has said. ‘Sharing isn’t fast enough. It’s not comprehensive, and you can’t rely on it on matters of national security’.Footnote31
Moreover, Congressman Bennie Thompson (D-MS), chair of the US House Homeland Security Committee, has put the challenge even more bluntly. ‘The Colonial pipeline ransomware attack and the related fuel shortages laid bare three urgent challenges facing the nation: cybersecurity vulnerabilities in critical infrastructure, the need to build resilience in our networks and the profitability of ransomware’, Thompson said.Footnote32
Implementing additional cybersecurity measures will, of course, take resources and firm political will. Are the world’s governments up to the task? Or will it take an enormous and crippling event to generate a reasonable response? Time will tell. Stay tuned.
The Willoughby Prize for 2020
Each year the Willoughby Prize is awarded to the author or authors of a Journal of Energy & Natural Resources Law article of outstanding merit. The winners of the 2020 Willoughby Prize are Florencia Heredia, Agostina L Martinez and Valentina Surraco Urtubey, of Buenos Aries, Argentina. The authors wrote ‘The Importance of Lithium for Achieving a Low-Carbon Future: Overview of the Lithium Extraction in the “Lithium Triangle”’, which was published online in July 2020 and in print in the August issue of the Journal. The article was particularly important since there is a growing world demand for lithium, a metal that will likely help power millions of electric vehicles in the near future. It has it been noted that perhaps as much as 75 per cent of the world’s lithium is found in Argentina, Bolivia and Chile.Footnote33 The authors’ efforts have been extremely well received by researchers worldwide who have already made the article the 10th most downloaded article in the journal’s 40-year history.
The Prize is awarded in memory of Geoffrey Willoughby (1936–1989), who played a leading role in the development of UK energy law. He also co-authored a leading UK energy law text, United Kingdom Oil and Gas Law, with Professor Terry Daintith. Achieving this prize is of special significance because the winning paper sits atop an annual submissions list that now numbers nearly 125 each year.
In announcing the winner, Judith-Aldersey-Williams, trustee of the Energy, Petroleum, Mineral & Natural Resources Law and Policy Education Trust charity that awards the prize, said this about the article: ‘We thought that the importance of lithium to the energy transition was clearly explained, your exploration of the geopolitics was fascinating and your treatment of the legal issues raised by lithium extraction clear and comprehensive’. The three co-authors will join a long line of distinguished authors whose articles have contributed enormously to the evolution and understanding of energy and natural resources law.
Final thoughts
Despite the heroic efforts of millions of people across our world who are tending to those who have been afflicted with the COVID-19 virus, and even accounting for the vaccines that have thus far been administered, hundreds of millions of people remain at risk. Everyone associated with the Journal remains hopeful that as this year progresses and as we draw closer to a new year, all societies and countries will successfully emerge from the ravages associated with the pandemic.
Obviously, the Journal focuses on legal issues involving energy and natural resources. But none of us works in a vacuum. We have all seen and experienced the suffering and loss attributable to the virus. And yet people around the world work day in and day out to keep our economies running, our lights on and our environments safe. It is difficult not to reflect on the public health of all the world’s societies, because the Journal is very much a reflection of contributions from all around the world. The Journal’s contributors write about issues that underlie the health of our planet and our ability as humans to aspire to dreams that will improve the common good.
Notes
1 Olafimihan Oshin, ‘Energy secretary: Adversaries have capability of shutdown down US power grid’, The Hill, 6 June 2021 https://thehill.com/homenews/sunday-talk-shows/557056-energy-secretary-adversaries-have-capability-of-shutting-down-us accessed 10 June 2021.
2 Don C Smith, ‘Editorial – Enhancing Cybersecurity in the Energy Sector: A Critical Priority’ (2018) 36 Journal of Energy & Natural Resources Law 373.
3 Govindarasu and Hahn quoted in ibid 373–74.
4 See IEA, ‘Report Extract: Cyber Resilience’ www.iea.org/reports/power-systems-in-transition/cyber-resilience p 63 accessed 10 June 2021.
5 Ibid.
6 Quoted in David Stringer and Heesu Lee, ‘Why Global Power Grids Are Still Vulnerable to Cyber Attacks’ (Bloomberg, 9 March 2021) www.bloomberg.com/news/articles/2021-03-03/why-global-power-grids-are-still-so-vulnerable-to-cyber-attacks accessed 10 June 2021.
7 Myles McCormick, ‘Cyber Attack Sparks US Effort to Keep Fuel Lines Open’ (Financial Times, 9 May 2021) www.ft.com/content/b8b530c7-f194-43da-8c98-6e181f68da38 accessed 10 June 2021.
8 Quoted in ibid.
9 Brad Plummer, ‘Pipeline Hack Points to Growing Cybersecurity Risk for Energy System’ (The New York Times, 13 May 2021) www.nytimes.com/2021/05/13/climate/pipeline-ransomware-hack-energy-grid.html accessed 10 June 2021.
10 Ibid.
11 Quoted in Christian Vasquez, Lesley Lark, and Peter Behr, ‘3 Takeaways from the Colonial Pipeline Hack’ (E&E News, 17 May 2021) www.eenews.net/energywire/stories/1063732723 accessed 10 June 2021.
12 Collin Eaton and Dustin Volz, ‘Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom’ (The Wall Street Journal, 19 May 2021) www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636 accessed 10 June 2021.
13 See United States Department of Justice, ‘Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomeware Extortionists Darkside' www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside accessed 10 June 2021.
14 Despite the fact that the executive order was issued just days after the Colonial Pipeline ransomware attack, work on the order had been going on for several months. Christian Vasquez, ‘Biden Mandates New Rules to Shut Down Hackers’ (E&E News, 13 May 2021) www.eenews.net/special_reports/cyber_attacks_on_infrastructure/stories/1063732465 accessed 10 June 2021.
15 See White House, ‘Executive Order on Improving the Nation's Cybersecurity' www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ accessed 10 June 2021.
16 See White House, ‘Fact Sheet: President Signs Executive Order Charting New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks’ www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/ accessed 10 June 2021.
17 Vasquez, ‘Biden Mandates New Rules’ (n 13).
18 Quoted in Sean Lyngaas, ‘Biden Signs Security-Focused Executive Order Meant to Accelerate Breach Reporting, Boost Software Standards’ Cyberscoop, 12 May 2021) www.cyberscoop.com/cyber-executive-order-biden-pipeline-russia-china/ accessed 10 June 2021.
19 Senator Mark Warner, ‘Statement of Sen. Warner on President Biden’s Cyber EO’ (12 May 2021) www.warner.senate.gov/public/index.cfm/pressreleases?page=2 accessed 10 June 2021.
20 See Elissa Slotkin, ‘As Cyber Threats Grow, Slotkin Introduces Bill to Boost Preparedness for U.S. Businesses and Local Governments’ https://slotkin.house.gov/media/press-releases/cyber-threats-grow-slotkin-introduces-bill-boost-preparedness-us-businesses-and accessed 10 June 2021.
21 Ibid.
22 See US Department of Homeland Security, ‘DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators' www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators accessed 10 June 2021.
23 Ibid.
24 Quoted in ibid.
25 Plummer (n 8).
26 Ibid.
27 Ibid.
28 Ibid.
29 David E Sanger, Nicole Perlroth, and Julian E Barnes, ‘Biden Plans an Order to Strengthen Cyberdefenses. Will It Be Enough?’ (The New York Times, 9 May 2021; updated 12 May 2021) www.nytimes.com/2021/05/09/us/politics/biden-cyberattack-response.html accessed 10 June 2021.
30 Kristine Petrosyan, ‘Colonial Pipeline Outage in the United States Underscores Risks to Energy Supplies’ (International Energy Agency, 11 May 2021) www.iea.org/commentaries/colonial-pipeline-outage-in-the-united-states-underscores-risks-to-energy-supplies accessed 10 June 2021.
31 Sanger, Perlroth, and Barnes (n 28).
32 Quoted in Christian Vasquez, ‘Lawmakers to Question Colonial Pipeline CEO, Cyber Nominees’ (E&E News, 7 June 2021) www.eenews.net/eedaily/2021/06/07/stories/1063734261 accessed 10 June 2021.
33 Samar Ahmad, ‘The Lithium Triangle: Where Chile, Argentina, and Bolivia Meet’ (Harvard International Review, 15 January 2020) https://hir.harvard.edu/lithium-triangle/ accessed 10 June 2021.