Professional Documents
Culture Documents
Cybersecurity in the Energy Sector Are We Really Prepared
Cybersecurity in the Energy Sector Are We Really Prepared
Don C Smith
To cite this article: Don C Smith (2021) Cybersecurity in the energy sector: are we
really prepared?, Journal of Energy & Natural Resources Law, 39:3, 265-270, DOI:
10.1080/02646811.2021.1943935
EDITORIAL
Cybersecurity in the energy sector: are we really
prepared?
US Energy Secretary Jennifer Granholm made an astounding – but sadly not surprising
– admission in early June 2021. When asked whether US adversaries have the capa-
bility of interrupting the electricity grid she simply answered, ‘Yes they do’, adding
‘I think there are very malign actors who are trying. Even as we speak, there are thou-
sands of attacks on all aspects of the energy sector and the private sector, generally’.1
Granholm’s words were astounding because the US government has known for
years that cyberattacks on key infrastructure were going on. And yet they were not sur-
prising because obviously not enough has been done to protect against such attacks.
Almost exactly three years ago, a journal editorial raised the matter of prioritising
cybersecurity in the energy sector.2 As the editorial pointed out, ‘[T]he US electricity
grid, which has been referred to as the “largest interconnected machine” in the world,
consists of “more than 7,000 power plants, 55,000 substations, 160,000 miles of high-
voltage transmission lines and millions of miles of low-voltage distribution lines”’.3
While it is true that the system has not yet suffered a catastrophic attack, Granholm’s
words are hardly comforting.
Organisations around the world are also concerned about this issue. For example,
in the World Economic Forum’s Global Risk Report 2020, cyberattacks on critical
infrastructure including the energy system were rated the fifth top risk.4 And the Inter-
national Energy Agency has said that for electricity systems in particular, ‘the threat of
cyberattack is substantial and growing, and threat actors are becoming increasingly
sophisticated at carrying out attacks – both in their destructive capabilities and their
ability to identify vulnerabilities’.5
Moreover, earlier this year Reji Kumar Pillai, head of an Indian think tank that advises
utilities, regulators and government on energy issues, said, ‘India’s power system is in
urgent need of proper cybersecurity systems. Both the state and the central governments
need to treat this with utmost urgency, without waiting for a disaster to happen’.6
1 Olafimihan Oshin, ‘Energy secretary: Adversaries have capability of shutdown down US power grid’,
The Hill, 6 June 2021 https://thehill.com/homenews/sunday-talk-shows/557056-energy-secretary-
adversaries-have-capability-of-shutting-down-us accessed 10 June 2021.
2 Don C Smith, ‘Editorial – Enhancing Cybersecurity in the Energy Sector: A Critical Priority’ (2018) 36
Journal of Energy & Natural Resources Law 373.
3 Govindarasu and Hahn quoted in ibid 373–74.
4 See IEA, ‘Report Extract: Cyber Resilience’ www.iea.org/reports/power-systems-in-transition/cyber-
resilience p 63 accessed 10 June 2021.
5 Ibid.
6 Quoted in David Stringer and Heesu Lee, ‘Why Global Power Grids Are Still Vulnerable to Cyber
Attacks’ (Bloomberg, 9 March 2021) www.bloomberg.com/news/articles/2021-03-03/why-global-
power-grids-are-still-so-vulnerable-to-cyber-attacks accessed 10 June 2021.
7 Myles McCormick, ‘Cyber Attack Sparks US Effort to Keep Fuel Lines Open’ (Financial Times, 9 May
2021) www.ft.com/content/b8b530c7-f194-43da-8c98-6e181f68da38 accessed 10 June 2021.
8 Quoted in ibid.
9 Brad Plummer, ‘Pipeline Hack Points to Growing Cybersecurity Risk for Energy System’ (The
New York Times, 13 May 2021) www.nytimes.com/2021/05/13/climate/pipeline-ransomware-hack-
energy-grid.html accessed 10 June 2021.
10 Ibid.
11 Quoted in Christian Vasquez, Lesley Lark, and Peter Behr, ‘3 Takeaways from the Colonial Pipeline
Hack’ (E&E News, 17 May 2021) www.eenews.net/energywire/stories/1063732723 accessed 10 June
2021.
12 Collin Eaton and Dustin Volz, ‘Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million
Ransom’ (The Wall Street Journal, 19 May 2021) www.wsj.com/articles/colonial-pipeline-ceo-tells-
why-he-paid-hackers-a-4-4-million-ransom-11621435636 accessed 10 June 2021.
13 See United States Department of Justice, ‘Department of Justice Seizes $2.3 Million in Cryptocurrency
Paid to the Ransomeware Extortionists Darkside’ www.justice.gov/opa/pr/department-justice-seizes-
23-million-cryptocurrency-paid-ransomware-extortionists-darkside accessed 10 June 2021.
14 Despite the fact that the executive order was issued just days after the Colonial Pipeline ransomware
attack, work on the order had been going on for several months. Christian Vasquez, ‘Biden Mandates
New Rules to Shut Down Hackers’ (E&E News, 13 May 2021) www.eenews.net/special_reports/cyber_
attacks_on_infrastructure/stories/1063732465 accessed 10 June 2021.
15 See White House, ‘Executive Order on Improving the Nation’s Cybersecurity’ www.whitehouse.gov/
briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-
cybersecurity/ accessed 10 June 2021.
Editorial 267
[T]he United States is simply not prepared to fend off state-sponsored or even criminal
hackers intent on compromising our systems for profit or espionage. This executive
order is a good first step, but executive orders can only go so far. Congress is going
to have to step up and do more to address our cyber vulnerabilities.19
The day after Biden signed the executive order, bipartisan legislation aimed at boost-
ing US preparedness for businesses and local governments was introduced in the US
Congress. The Cybersecurity and Infrastructure Security Agency Cyber Exercise
Act, introduced by Congressman Mike Gallagher (Republican-Wisconsin) and Con-
gresswoman Elissa Slotkin (Democrat-Mississippi), would create new ways for
American businesses and government to test critical infrastructure against cyber
threats as well as establish a National Cyber Exercise Program to test the US
response plan for major incidents.20 Slotkin said the Colonial Pipeline event had
‘clearly shown that cybersecurity is no longer just a “tech” issue – it’s at the very
heart of protecting the systems that power our daily lives as Americans’, adding,
‘This bill can be a step in ramping up [coordination between state and local govern-
ments and private businesses], ensuring that our government is preparing for the full
range of cyber threats, and providing our communities and businesses the tools they
need to be secure and resilient’.21
In late May the DHS followed up with a ‘first-of-a-kind’ cybersecurity directive for
the pipeline industry.22 Pursuant to the directive, ‘critical pipeline owners and
16 See White House, ‘Fact Sheet: President Signs Executive Order Charting New Course to Improve the
Nation’s Cybersecurity and Protect Federal Government Networks’ www.whitehouse.gov/briefing-
room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-
to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/ accessed 10 June
2021.
17 Vasquez, ‘Biden Mandates New Rules’ (n 13).
18 Quoted in Sean Lyngaas, ‘Biden Signs Security-Focused Executive Order Meant to Accelerate Breach
Reporting, Boost Software Standards’ Cyberscoop, 12 May 2021) www.cyberscoop.com/cyber-
executive-order-biden-pipeline-russia-china/ accessed 10 June 2021.
19 Senator Mark Warner, ‘Statement of Sen. Warner on President Biden’s Cyber EO’ (12 May 2021) www.
warner.senate.gov/public/index.cfm/pressreleases?page=2 accessed 10 June 2021.
20 See Elissa Slotkin, ‘As Cyber Threats Grow, Slotkin Introduces Bill to Boost Preparedness for U.S.
Businesses and Local Governments’ https://slotkin.house.gov/media/press-releases/cyber-threats-
grow-slotkin-introduces-bill-boost-preparedness-us-businesses-and accessed 10 June 2021.
21 Ibid.
22 See US Department of Homeland Security, ‘DHS Announces New Cybersecurity Requirements for
Critical Pipeline Owners and Operators’ www.dhs.gov/news/2021/05/27/dhs-announces-new-
cybersecurity-requirements-critical-pipeline-owners-and-operators accessed 10 June 2021.
268 Editorial
operators’ will be required ‘to report confirmed and potential cybersecurity incidents
to the DHS Cybersecurity and Infrastructure Security Agency … and to designate a
Cybersecurity Coordinator, to be available 24 hours a day, seven days a week’.23 In
announcing the directive, US Secretary of Homeland Security Alejandro N Mayorkas
said, ‘The recent ransomware attack on a major petroleum pipeline demonstrates that
the cybersecurity of pipeline systems is critical to our homeland security’.24
The attack on the Colonial pipeline was hardly the first of its kind in terms of
energy-related infrastructure. In 2020, a ransomware attack caused a natural gas com-
pression installation to shut down for two days, and in 2018 an attack caused service
disruptions for the operators of a number of natural gas pipelines.25 Even ‘bigger risks
lurk’, The New York Times reported, referring to a 2016 attack that caused significant
parts of the Ukrainian power grid to collapse in what is believed to be the ‘first inter-
national blackout triggered by a cyberattack’.26
Energy experts have said that US grid operators and electric utilities are ‘typi-
cally further ahead in preparing for cyberattacks than the oil and gas industry, in
part because federal regulators have long required cybersecurity standards for the
backbone of the nation’s power grid’.27 Nevertheless, because of the grid’s com-
plexity, it may still be susceptible to an attack because of the sheer number of uti-
lities that are part of the grid and their ‘varying’ procedures when it comes to
cybersecurity.28
The calls for US companies managing critical systems to improve their cybersecur-
ity procedures are not new, but the lack of success in many instances reflects the enor-
mous impact of lobbying in Washington, DC. In 2012, Congressional efforts to
mandate minimum cybersecurity standards for these companies failed ‘when lobbyists
killed such an effort … arguing that the standards would be too expensive and too
onerous for business’.29
Kristine Petrosyan, oil analyst for the International Energy Agency, has noted that
the Colonial pipeline shutdown
underlines how digitalization and automation of energy systems are increasing the
scope for cyberattacks. Policymakers, regulators and industry must address these poten-
tial hazards, which are set to grow as the shift to cleaner power is accompanied by an
expansion of connective devices and digitalized smart networks.30
The importance of better preparation for cyberattacks has also been underscored by the
chief executive officer of the Southern Company, one of the largest US energy
23 Ibid.
24 Quoted in ibid.
25 Plummer (n 8).
26 Ibid.
27 Ibid.
28 Ibid.
29 David E Sanger, Nicole Perlroth, and Julian E Barnes, ‘Biden Plans an Order to Strengthen Cyberde-
fenses. Will It Be Enough?’ (The New York Times, 9 May 2021; updated 12 May 2021) www.nytimes.
com/2021/05/09/us/politics/biden-cyberattack-response.html accessed 10 June 2021.
30 Kristine Petrosyan, ‘Colonial Pipeline Outage in the United States Underscores Risks to Energy
Supplies’ (International Energy Agency, 11 May 2021) www.iea.org/commentaries/colonial-pipeline-
outage-in-the-united-states-underscores-risks-to-energy-supplies accessed 10 June 2021.
Editorial 269
providers. Thomas Fanning has said the country needs real-time centres to track cyber
attacks. ‘A real-time view of that battlefield that allows Cyber Command to see my
critical systems at the same moment and the same time I see them’, is what is
needed, he has said. ‘Sharing isn’t fast enough. It’s not comprehensive, and you
can’t rely on it on matters of national security’.31
Moreover, Congressman Bennie Thompson (D-MS), chair of the US House Home-
land Security Committee, has put the challenge even more bluntly. ‘The Colonial pipe-
line ransomware attack and the related fuel shortages laid bare three urgent challenges
facing the nation: cybersecurity vulnerabilities in critical infrastructure, the need to
build resilience in our networks and the profitability of ransomware’, Thompson
said.32
Implementing additional cybersecurity measures will, of course, take resources
and firm political will. Are the world’s governments up to the task? Or will it take
an enormous and crippling event to generate a reasonable response? Time will tell.
Stay tuned.
geopolitics was fascinating and your treatment of the legal issues raised by lithium
extraction clear and comprehensive’. The three co-authors will join a long line of dis-
tinguished authors whose articles have contributed enormously to the evolution and
understanding of energy and natural resources law.
Final thoughts
Despite the heroic efforts of millions of people across our world who are tending to
those who have been afflicted with the COVID-19 virus, and even accounting for
the vaccines that have thus far been administered, hundreds of millions of people
remain at risk. Everyone associated with the Journal remains hopeful that as this
year progresses and as we draw closer to a new year, all societies and countries will
successfully emerge from the ravages associated with the pandemic.
Obviously, the Journal focuses on legal issues involving energy and natural
resources. But none of us works in a vacuum. We have all seen and experienced the
suffering and loss attributable to the virus. And yet people around the world work
day in and day out to keep our economies running, our lights on and our environments
safe. It is difficult not to reflect on the public health of all the world’s societies, because
the Journal is very much a reflection of contributions from all around the world. The
Journal’s contributors write about issues that underlie the health of our planet and our
ability as humans to aspire to dreams that will improve the common good.
Don C Smith
Editor, Journal of Energy & Natural Resources Law
University of Denver Sturm College of Law, Denver, CO, USA
Email: dcsmith@law.du.edu