Energy Department Leading White House Interagency Response to Pipeline Attack
The hack highlights jurisdictional issues on pipeline cybersecurity.
The White House has formed an interagency task force in response to a cyberattack on Colonial Pipeline Company with the Energy Department at the helm, according to administration officials.
“The White House convened an interagency team that included the Department of Energy, which is the lead agency for incident response in this case, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, the FBI, the Department of Transportation Safety and Hazardous Materials Safety Administration, the Department of the Treasury, the Department of Defense and other agencies,” Deputy National Security Advisor Liz Sherwood-Randall said during a press briefing on the event Monday.
Not specifically listed in that group was DHS’s Transportation Security Administration, which has oversight over pipeline cybersecurity.
In May 2019, the Government Accountability Office issued a scathing report of the TSA’s performance in that role, noting among other things that there were only six staffers assigned to the area. And there has been a longstanding bipartisan effort from within the Federal Energy Regulatory Commission and in Congress to turn responsibility for pipeline cybersecurity over to Energy.
The attack on the Colonial’s 5,500 miles of pipelines, attributed by the FBI to a criminal ransomware group called Darkside, threatens to disrupt the flow of almost half the East Coast’s energy supply. Randall said there isn’t currently an energy supply issue, but that the admin is working on contingency plans if shortages develop.
Perpetrators of ransomware deploy malware to encrypt an entity’s data until they receive a payment. In recent attacks of this variant, hackers have also threatened to publicly release sensitive data so that even if a company has backup files—like they’re supposed to—they’re still motivated to pay. However, the FBI discourages victims from paying as it has the potential to incentivize more attacks.
Over the weekend, the company issued a statement saying only that it’s developing a “system restart plan” and that they were making some progress toward returning to normal.
“The Colonial Pipeline operations team is developing a system restart plan,” the Sunday statement reads. “While our mainlines (Lines 1, 2, 3 and 4) remain offline, some smaller lateral lines between terminals and delivery points are now operational. We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.”
On Saturday, following the initial news of the attack, FERC Commissioner Neil Chatterjee, a Republican, reupped his call for the Energy Department to have jurisdiction over pipeline security. In a tweet, he also noted that TSA’s approach of using voluntary guidelines in its oversight of the industry is problematic.
In another tweet Saturday, Sen. Ed Markey, D.-Mass., added: “An understaffed, underprepared TSA cannot successfully ensure the security of dangerous and susceptible natural gas pipeline infrastructure. The federal inability to prevent cyberattacks turns our pipeline system into a risk for communities.”
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, also speaking at Monday’s briefing, said while the government is engaging with Colonial, the company has declined offers of assistance in their remediation efforts.
“We judge that the company said that they have adequate support and they noted in their public remarks that they're using a third-party service, and they feel they're making adequate progress with their own resources, and we know we're standing by,” she said. “We're happy that they are confident in their ability to remediate the incident and rapidly recover, to meet the needs of their customers.”
Neuberger also declined to answer a direct question about whether Colonial should pay the ransom. While the FBI has long advised companies against doing this, she suggested the company may not have backed up its files and may therefore be in a position that would take the decision out of their hands.
“The FBI has provided advice in the past that paying a ransom would encourage further ransomware activity and is so troubling,” she said. “We recognize though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data."
She called for entities to proactively secure their systems to defend from possible ransomware attacks.
“In this case, the ransomware that was used is a known variant,” she said. “The FBI has investigated many cases of this in the past.”
Neuberger said while the current assessment of the Darkside is that it is a purely criminal enterprise, the intelligence community is looking into potential nation-state ties.