The cyber threat to the nation’s energy infrastructure just crossed the Rubicon. A cyberattack forced the shutdown of the Colonial Pipeline, which transports 45% of the refined fuel used on the East Coast. Gas stations from New England to Georgia are without fuel and it will be days before the pipeline is operating normally, and days more before the supply crunch is resolved.

As one CNN contributor observed, “the fact that an apparent group of cyber pirates – a secret criminal nerd syndicate – can take down the aorta of fuel for the East Coast should be sending shockwaves through the country.”

The shockwaves are beginning but it remains to be seen if we learn the right lessons and act on them. This attack isn’t the first on the nation’s energy infrastructure. No, in fact, it’s one of more than 4,000 ransomware attacks on energy infrastructure that have occurred daily since January of 2016 according to the U.S. Cybersecurity and Infrastructure Security Agency. While most attacks are stopped, or quietly quarantined, some have made the news. A cyberattack on a solar and wind operator in Utah in March of 2019 took 500 MW of capacity offline. The cyber threat has been omni-present for years but only now are we starting to grapple with just how vulnerable critical infrastructure is to bad actors.

The Colonial Pipeline attack reveals several key considerations that are screaming for further investigation. First, the hackers’ goal was financially motivated, not political. As humbling as this attack has been, it wasn’t even designed to do real damage or to create disruption. That begs the obvious question of what a determined attack carefully designed to cause real damage and disruption could do?

Second, as disruptive as an attack on a pipeline carrying gasoline and jet fuel is to the economy, these are fuels that can be stored on site or in car gas tanks creating some buffer and room for error. In other words, there are often local reserves of fuel. The far scarier scenario is an attack, or attacks, on natural gas pipelines during a high-demand event – such as a scorching summer day or during the bitter cold of a polar vortex – where power plants and heating systems are completely beholden to just-in-time fuel delivery. Should a major pipeline or pipelines go down, the shock to the grid and the nation’s infrastructure would be immediate and potentially catastrophic. It’s not surprising that multiple members of the Federal Energy Regulatory Commission are now calling for mandatory pipeline cyber standards.

Value Fuel Security
Former Energy Secretary Rick Perry was derided for his concern over the threat of a cyberattack on the nation’s natural gas infrastructure and the suggestion that dispatchable fuel diversity provided by coal and nuclear power is a valuable insurance policy in an era of emerging and deceptively dangerous threats. Of course, his concern and suggestion seem infinitely reasonable now.

Fuel security and dispatchable fuel diversity are an overlooked and disappearing insurance policy for a grid and energy system that increasingly need insurance. While every piece of energy infrastructure is vulnerable to cyber threats, it’s becoming clear that pipelines and just-in-time fuel delivery are a particularly vulnerable link in the equation. Conversely, the months of fuel stored on site at coal and nuclear power plants add a layer of security and resilience we have long taken for granted and continue to undervalue. Will it be cyber insecurity, of all things, that begins to turn the tide and create urgency for market reform?

It’s past time to properly compensate existing coal capacity for the insurance it provides the grid. The nation needs a responsible, no-regrets bridge to the energy future we want. That bridge should rest on the fuel-security, reliability and resilience provided by the nation’s coal fleet.