Journal of Energy & Natural Resources Law

ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/rnrl20

Cybersecurity in the energy sector: are we really

prepared?

Don C Smith

To cite this article: Don C Smith (2021) Cybersecurity in the energy sector: are we
really prepared?, Journal of Energy & Natural Resources Law, 39:3, 265-270, DOI:
10.1080/02646811.2021.1943935

To link to this article: https://doi.org/10.1080/02646811.2021.1943935

Published online: 22 Jul 2021.

Submit your article to this journal

Article views: 4994

View related articles

View Crossmark data

Citing articles: 1 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=rnrl20
Journal of Energy & Natural Resources Law, 2021
Vol 39, No 3, 265–270, https://doi.org/10.1080/02646811.2021.1943935

EDITORIAL
Cybersecurity in the energy sector: are we really
prepared?

US Energy Secretary Jennifer Granholm made an astounding – but sadly not surprising
– admission in early June 2021. When asked whether US adversaries have the capa-
bility of interrupting the electricity grid she simply answered, ‘Yes they do’, adding
‘I think there are very malign actors who are trying. Even as we speak, there are thou-
sands of attacks on all aspects of the energy sector and the private sector, generally’.1
Granholm’s words were astounding because the US government has known for
years that cyberattacks on key infrastructure were going on. And yet they were not sur-
prising because obviously not enough has been done to protect against such attacks.
Almost exactly three years ago, a journal editorial raised the matter of prioritising
cybersecurity in the energy sector.2 As the editorial pointed out, ‘[T]he US electricity
grid, which has been referred to as the “largest interconnected machine” in the world,
consists of “more than 7,000 power plants, 55,000 substations, 160,000 miles of high-
voltage transmission lines and millions of miles of low-voltage distribution lines”’.3
While it is true that the system has not yet suffered a catastrophic attack, Granholm’s
words are hardly comforting.
Organisations around the world are also concerned about this issue. For example,
in the World Economic Forum’s Global Risk Report 2020, cyberattacks on critical
infrastructure including the energy system were rated the fifth top risk.4 And the Inter-
national Energy Agency has said that for electricity systems in particular, ‘the threat of
cyberattack is substantial and growing, and threat actors are becoming increasingly
sophisticated at carrying out attacks – both in their destructive capabilities and their
ability to identify vulnerabilities’.5
Moreover, earlier this year Reji Kumar Pillai, head of an Indian think tank that advises
utilities, regulators and government on energy issues, said, ‘India’s power system is in
urgent need of proper cybersecurity systems. Both the state and the central governments
need to treat this with utmost urgency, without waiting for a disaster to happen’.6

1 Olafimihan Oshin, ‘Energy secretary: Adversaries have capability of shutdown down US power grid’,
The Hill, 6 June 2021 https://thehill.com/homenews/sunday-talk-shows/557056-energy-secretary-
adversaries-have-capability-of-shutting-down-us accessed 10 June 2021.
2 Don C Smith, ‘Editorial – Enhancing Cybersecurity in the Energy Sector: A Critical Priority’ (2018) 36
Journal of Energy & Natural Resources Law 373.
3 Govindarasu and Hahn quoted in ibid 373–74.
4 See IEA, ‘Report Extract: Cyber Resilience’ www.iea.org/reports/power-systems-in-transition/cyber-
resilience p 63 accessed 10 June 2021.
5 Ibid.
6 Quoted in David Stringer and Heesu Lee, ‘Why Global Power Grids Are Still Vulnerable to Cyber
Attacks’ (Bloomberg, 9 March 2021) www.bloomberg.com/news/articles/2021-03-03/why-global-
power-grids-are-still-so-vulnerable-to-cyber-attacks accessed 10 June 2021.

© 2021 International Bar Association

266 Editorial

The concern about cyberattacks on US energy infrastructure increased exponen-

tially in early May with the announcement that a pipeline that supplies the US East
Coast with almost half its jet fuel and gasoline had been shut off by a cyberattack.
For several days operator Colonial Pipeline Company shuttered the entire system as
a result of the ransomware effort.7 In describing the incident, Robert Campbell of
the consultancy Energy Aspects said, ‘This is definitely not a schoolboy prank. This
is a highly sophisticated attack on a piece of critical infrastructure’.8
As The New York Times reported, ‘The audacious ransom attack that shut down [the
Colonial] fuel pipeline and sent Americans scrambling for gasoline in the Northeast …
was not the first time hackers have disrupted America’s aging, vulnerable infrastructure.
And it’s unlikely to be the last’.9 The Times went on to report, ‘Despite years of warn-
ings, America’s vast network of pipelines, electric grids and power plants remains
acutely vulnerable to cyberattacks with the potential to disrupt energy supplies for
millions of people’.10 Furthermore, Chris Krebs, former director of the US Department
of Homeland Security (DHS)’s Cybersecurity and Infrastructure Security Agency in the
Trump administration, said, ‘If there was any remaining question as to whether cyber-
crime and ransomware in particular was a national security threat, I think that question
resolved itself’ – referring to the Colonial pipeline shutdown.11
A few days after the attack, Colonial Pipeline paid a ransom of $4.4 million to
restore its systems,12 and in early June the US Department of Justice seized about
half of that payment.13 Nevertheless, the entire episode was a stark reminder of the
vulnerability of the US energy system. In the wake of the cyberattack, President Joe
Biden issued an executive order,14 on 12 May 2020, aimed at improving the
nation’s cybersecurity.15 Among other things, the order calls for a Cybersecurity
Safety Review Board, co-chaired by private sector and government leads, that may
convene to analyse and make cybersecurity recommendations after a significant
cyber incident; modernises and implements stronger cybersecurity standards for the
federal government; and implements a more stringent software supply chain security

7 Myles McCormick, ‘Cyber Attack Sparks US Effort to Keep Fuel Lines Open’ (Financial Times, 9 May
2021) www.ft.com/content/b8b530c7-f194-43da-8c98-6e181f68da38 accessed 10 June 2021.
8 Quoted in ibid.
9 Brad Plummer, ‘Pipeline Hack Points to Growing Cybersecurity Risk for Energy System’ (The
New York Times, 13 May 2021) www.nytimes.com/2021/05/13/climate/pipeline-ransomware-hack-
energy-grid.html accessed 10 June 2021.
10 Ibid.
11 Quoted in Christian Vasquez, Lesley Lark, and Peter Behr, ‘3 Takeaways from the Colonial Pipeline
Hack’ (E&E News, 17 May 2021) www.eenews.net/energywire/stories/1063732723 accessed 10 June
2021.
12 Collin Eaton and Dustin Volz, ‘Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million
Ransom’ (The Wall Street Journal, 19 May 2021) www.wsj.com/articles/colonial-pipeline-ceo-tells-
why-he-paid-hackers-a-4-4-million-ransom-11621435636 accessed 10 June 2021.
13 See United States Department of Justice, ‘Department of Justice Seizes $2.3 Million in Cryptocurrency
Paid to the Ransomeware Extortionists Darkside’ www.justice.gov/opa/pr/department-justice-seizes-
23-million-cryptocurrency-paid-ransomware-extortionists-darkside accessed 10 June 2021.
14 Despite the fact that the executive order was issued just days after the Colonial Pipeline ransomware
attack, work on the order had been going on for several months. Christian Vasquez, ‘Biden Mandates
New Rules to Shut Down Hackers’ (E&E News, 13 May 2021) www.eenews.net/special_reports/cyber_
attacks_on_infrastructure/stories/1063732465 accessed 10 June 2021.
15 See White House, ‘Executive Order on Improving the Nation’s Cybersecurity’ www.whitehouse.gov/
briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-
cybersecurity/ accessed 10 June 2021.
 Editorial 267

system by establishing ‘baseline security standards for development of software sold

to the government’.16
The cybersecurity executive order garnered ‘widespread praise’ from cybersecur-
ity experts and lawmakers alike, ‘who have long called for massive overhauls to cyber-
security policy’.17 Ari Schwartz, a former cybersecurity official in the Obama White
House and current cybersecurity services managing director at the Venable law firm,
welcomed the order and said, ‘It is broad enough that it will also have some impact on
protecting critical infrastructure and other organizations including improving software
standards’.18 Meanwhile, Senator Mark Warner (Democrat-Virgina) provided a cau-
tionary observation, saying,

[T]he United States is simply not prepared to fend off state-sponsored or even criminal
hackers intent on compromising our systems for profit or espionage. This executive
order is a good first step, but executive orders can only go so far. Congress is going
to have to step up and do more to address our cyber vulnerabilities.19

The day after Biden signed the executive order, bipartisan legislation aimed at boost-
ing US preparedness for businesses and local governments was introduced in the US
Congress. The Cybersecurity and Infrastructure Security Agency Cyber Exercise
Act, introduced by Congressman Mike Gallagher (Republican-Wisconsin) and Con-
gresswoman Elissa Slotkin (Democrat-Mississippi), would create new ways for
American businesses and government to test critical infrastructure against cyber
threats as well as establish a National Cyber Exercise Program to test the US
response plan for major incidents.20 Slotkin said the Colonial Pipeline event had
‘clearly shown that cybersecurity is no longer just a “tech” issue – it’s at the very
heart of protecting the systems that power our daily lives as Americans’, adding,
‘This bill can be a step in ramping up [coordination between state and local govern-
ments and private businesses], ensuring that our government is preparing for the full
range of cyber threats, and providing our communities and businesses the tools they
need to be secure and resilient’.21
In late May the DHS followed up with a ‘first-of-a-kind’ cybersecurity directive for
the pipeline industry.22 Pursuant to the directive, ‘critical pipeline owners and

16 See White House, ‘Fact Sheet: President Signs Executive Order Charting New Course to Improve the
Nation’s Cybersecurity and Protect Federal Government Networks’ www.whitehouse.gov/briefing-
room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-
to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/ accessed 10 June
2021.
17 Vasquez, ‘Biden Mandates New Rules’ (n 13).
18 Quoted in Sean Lyngaas, ‘Biden Signs Security-Focused Executive Order Meant to Accelerate Breach
Reporting, Boost Software Standards’ Cyberscoop, 12 May 2021) www.cyberscoop.com/cyber-
executive-order-biden-pipeline-russia-china/ accessed 10 June 2021.
19 Senator Mark Warner, ‘Statement of Sen. Warner on President Biden’s Cyber EO’ (12 May 2021) www.
warner.senate.gov/public/index.cfm/pressreleases?page=2 accessed 10 June 2021.
20 See Elissa Slotkin, ‘As Cyber Threats Grow, Slotkin Introduces Bill to Boost Preparedness for U.S.
Businesses and Local Governments’ https://slotkin.house.gov/media/press-releases/cyber-threats-
grow-slotkin-introduces-bill-boost-preparedness-us-businesses-and accessed 10 June 2021.
21 Ibid.
22 See US Department of Homeland Security, ‘DHS Announces New Cybersecurity Requirements for
Critical Pipeline Owners and Operators’ www.dhs.gov/news/2021/05/27/dhs-announces-new-
cybersecurity-requirements-critical-pipeline-owners-and-operators accessed 10 June 2021.
268 Editorial

operators’ will be required ‘to report confirmed and potential cybersecurity incidents
to the DHS Cybersecurity and Infrastructure Security Agency … and to designate a
Cybersecurity Coordinator, to be available 24 hours a day, seven days a week’.23 In
announcing the directive, US Secretary of Homeland Security Alejandro N Mayorkas
said, ‘The recent ransomware attack on a major petroleum pipeline demonstrates that
the cybersecurity of pipeline systems is critical to our homeland security’.24
The attack on the Colonial pipeline was hardly the first of its kind in terms of
energy-related infrastructure. In 2020, a ransomware attack caused a natural gas com-
pression installation to shut down for two days, and in 2018 an attack caused service
disruptions for the operators of a number of natural gas pipelines.25 Even ‘bigger risks
lurk’, The New York Times reported, referring to a 2016 attack that caused significant
parts of the Ukrainian power grid to collapse in what is believed to be the ‘first inter-
national blackout triggered by a cyberattack’.26
Energy experts have said that US grid operators and electric utilities are ‘typi-
cally further ahead in preparing for cyberattacks than the oil and gas industry, in
part because federal regulators have long required cybersecurity standards for the
backbone of the nation’s power grid’.27 Nevertheless, because of the grid’s com-
plexity, it may still be susceptible to an attack because of the sheer number of uti-
lities that are part of the grid and their ‘varying’ procedures when it comes to
cybersecurity.28
The calls for US companies managing critical systems to improve their cybersecur-
ity procedures are not new, but the lack of success in many instances reflects the enor-
mous impact of lobbying in Washington, DC. In 2012, Congressional efforts to
mandate minimum cybersecurity standards for these companies failed ‘when lobbyists
killed such an effort … arguing that the standards would be too expensive and too
onerous for business’.29
Kristine Petrosyan, oil analyst for the International Energy Agency, has noted that
the Colonial pipeline shutdown

underlines how digitalization and automation of energy systems are increasing the
scope for cyberattacks. Policymakers, regulators and industry must address these poten-
tial hazards, which are set to grow as the shift to cleaner power is accompanied by an
expansion of connective devices and digitalized smart networks.30

The importance of better preparation for cyberattacks has also been underscored by the
chief executive officer of the Southern Company, one of the largest US energy

23 Ibid.
24 Quoted in ibid.
25 Plummer (n 8).
26 Ibid.
27 Ibid.
28 Ibid.
29 David E Sanger, Nicole Perlroth, and Julian E Barnes, ‘Biden Plans an Order to Strengthen Cyberde-
fenses. Will It Be Enough?’ (The New York Times, 9 May 2021; updated 12 May 2021) www.nytimes.
com/2021/05/09/us/politics/biden-cyberattack-response.html accessed 10 June 2021.
30 Kristine Petrosyan, ‘Colonial Pipeline Outage in the United States Underscores Risks to Energy
Supplies’ (International Energy Agency, 11 May 2021) www.iea.org/commentaries/colonial-pipeline-
outage-in-the-united-states-underscores-risks-to-energy-supplies accessed 10 June 2021.
 Editorial 269

providers. Thomas Fanning has said the country needs real-time centres to track cyber
attacks. ‘A real-time view of that battlefield that allows Cyber Command to see my
critical systems at the same moment and the same time I see them’, is what is
needed, he has said. ‘Sharing isn’t fast enough. It’s not comprehensive, and you
can’t rely on it on matters of national security’.31
Moreover, Congressman Bennie Thompson (D-MS), chair of the US House Home-
land Security Committee, has put the challenge even more bluntly. ‘The Colonial pipe-
line ransomware attack and the related fuel shortages laid bare three urgent challenges
facing the nation: cybersecurity vulnerabilities in critical infrastructure, the need to
build resilience in our networks and the profitability of ransomware’, Thompson
said.32
Implementing additional cybersecurity measures will, of course, take resources
and firm political will. Are the world’s governments up to the task? Or will it take
an enormous and crippling event to generate a reasonable response? Time will tell.
Stay tuned.

The Willoughby Prize for 2020

Each year the Willoughby Prize is awarded to the author or authors of a Journal of
Energy & Natural Resources Law article of outstanding merit. The winners of the
2020 Willoughby Prize are Florencia Heredia, Agostina L Martinez and Valentina
Surraco Urtubey, of Buenos Aries, Argentina. The authors wrote ‘The Importance
of Lithium for Achieving a Low-Carbon Future: Overview of the Lithium Extrac-
tion in the “Lithium Triangle”’, which was published online in July 2020 and in
print in the August issue of the Journal. The article was particularly important
since there is a growing world demand for lithium, a metal that will likely help
power millions of electric vehicles in the near future. It has it been noted that
perhaps as much as 75 per cent of the world’s lithium is found in Argentina,
Bolivia and Chile.33 The authors’ efforts have been extremely well received by
researchers worldwide who have already made the article the 10th most downloaded
article in the journal’s 40-year history.
The Prize is awarded in memory of Geoffrey Willoughby (1936–1989), who
played a leading role in the development of UK energy law. He also co-authored
a leading UK energy law text, United Kingdom Oil and Gas Law, with Professor
Terry Daintith. Achieving this prize is of special significance because the
winning paper sits atop an annual submissions list that now numbers nearly
125 each year.
In announcing the winner, Judith-Aldersey-Williams, trustee of the Energy, Pet-
roleum, Mineral & Natural Resources Law and Policy Education Trust charity that
awards the prize, said this about the article: ‘We thought that the importance of
lithium to the energy transition was clearly explained, your exploration of the

31 Sanger, Perlroth, and Barnes (n 28).

32 Quoted in Christian Vasquez, ‘Lawmakers to Question Colonial Pipeline CEO, Cyber Nominees’ (E&E
News, 7 June 2021) www.eenews.net/eedaily/2021/06/07/stories/1063734261 accessed 10 June 2021.
33 Samar Ahmad, ‘The Lithium Triangle: Where Chile, Argentina, and Bolivia Meet’ (Harvard Inter-
national Review, 15 January 2020) https://hir.harvard.edu/lithium-triangle/ accessed 10 June 2021.
270 Editorial

geopolitics was fascinating and your treatment of the legal issues raised by lithium
extraction clear and comprehensive’. The three co-authors will join a long line of dis-
tinguished authors whose articles have contributed enormously to the evolution and
understanding of energy and natural resources law.

Final thoughts
Despite the heroic efforts of millions of people across our world who are tending to
those who have been afflicted with the COVID-19 virus, and even accounting for
the vaccines that have thus far been administered, hundreds of millions of people
remain at risk. Everyone associated with the Journal remains hopeful that as this
year progresses and as we draw closer to a new year, all societies and countries will
successfully emerge from the ravages associated with the pandemic.
Obviously, the Journal focuses on legal issues involving energy and natural
resources. But none of us works in a vacuum. We have all seen and experienced the
suffering and loss attributable to the virus. And yet people around the world work
day in and day out to keep our economies running, our lights on and our environments
safe. It is difficult not to reflect on the public health of all the world’s societies, because
the Journal is very much a reflection of contributions from all around the world. The
Journal’s contributors write about issues that underlie the health of our planet and our
ability as humans to aspire to dreams that will improve the common good.

Don C Smith
Editor, Journal of Energy & Natural Resources Law
University of Denver Sturm College of Law, Denver, CO, USA
Email: dcsmith@law.du.edu