When a major cyberattack hit the Colonial Pipeline last year, gasoline supplies were disrupted for days, prompting panic among East Coast consumers. Federal regulators scrambled to issue emergency mandatory cybersecurity standards on critical pipeline operators to protect their systems.
Amid the chaos, Arjun Prasad Ramadevanahalli was cool and collected—and not surprised.
“It almost felt like it was an inevitability and only a matter of time before this happened, unfortunately,” he said.
Ramadevanahalli, a 36-year-old associate for Morgan Lewis’ Washington, D.C., office, has focused his practice on the complicated question of how energy companies navigate the rapidly evolving world of cybersecurity—and how to communicate with the government.
He is currently advising multiple major pipeline owner-operators who are subject to the emergency standards, issued by the Transportation Security Administration, on what might be around the corner in a complex and urgent field.
The Colonial Pipeline hack brought cybersecurity to the forefront, underscoring the government’s intent to expand enforcement of cybersecurity beyond electricity into other sectors deemed critical infrastructure, Ramadevanahalli said.
As threats from foreign adversaries have grown, particularly as Russia has been more aggressive in challenging Western nations, the private sector and government agencies have all been trying to figure out how to work together on the same goal: protect critical energy infrastructure against cyberattacks that can prove disruptive.
“It’s been really interesting how that starts to culminate after we’ve been tuned in and focused on it for a long time,” Ramadevanahalli said. “That conversation is picking up.”
Ramadevanahalli was a boy in the Kansas City, Missouri, area when he knew he had a knack for the digital space. Influenced by his father, who worked for Gateway 2000, a large computer company during the rise of the internet in the 1990s, he began to learn how to code when he was 11 years old. He was also drawn to current events, politics, and international relations.
After earning a bachelor’s degree in history from Tufts University, he decided energy law was a field that excited him most. He received his law degree from American University in 2013, getting an internship with
“We kind of take it for granted, I think, when you flip on a light switch or turn on a heater, to think about all the pieces that have happened upstream from that to get that power or gas to you and the companies working round-the-clock to do that,” he said.
Cybersecurity was top of mind when he joined Morgan Lewis as an associate in 2013.
The firm’s involvement in cybersecurity standards had picked up in the mid-2000s with the formation of the North American Electric Reliability Corp., known as NERC. Congress empowered the federally certified nonprofit to enforce mandatory reliability and cybersecurity standards, following the massive 2003 blackouts that cut power to more than 50 million people.
“We’ve been able to take that experience that we’ve developed working with electric utilities on their compliance with cybersecurity standards and apply that across the board,” said Stephen Spina, a partner at Morgan Lewis and leader of the firm’s energy practice group. “We were on the ground floor of the evolution of cybersecurity standards.”
As other sectors, such as pipelines and water and wastewater utilities, have found themselves vulnerable and subject to standards, Ramadevanahalli applied the analytical side of his brain with his ability to shape an argument and narrative on behalf of companies operating in those areas.
“A lot of the work that he does requires that sort of on-the-ground working solution and trying to find a solution with the client—and he’s very good at that,” Spina said.
Today, Ramadevanahalli regularly works with pipeline owners and operators to protect against ransomware attacks, develop and implement cybersecurity contingency and recovery plans, and conduct cybersecurity architecture design review.
A few years ago, Ramadevanahalli attended a cybersecurity audit the Federal Energy Regulatory Commission was conducting at an undisclosed electric utility facility owned by one of his clients. The federal officials, he said, were skeptical that the utility’s information technology tools met requirements.
Ramadevanahalli stepped in to, first, grasp the inner workings of the technology and, second, turn to regulators to explain how it exceeded requirements. It was a rewarding experience, he said, that moved the needle on what regulators understood and what companies felt comfortable explaining.
“Ultimately, we did convince them what we were doing was better—and above and beyond what the regulations called for,” he said. “Sometimes, fitting what they’re doing into what the regulators are expecting can be a little bit tricky.”
He expects regulators to broaden their scrutiny beyond pipelines, such as water and wastewater systems and freight railroad carriers. This year, officials with the Federal Energy Regulatory Commission and Energy Department suggested creating a NERC-like agency to enforce mandatory reliability standards for the country’s energy pipelines. Congress has pressed for legislation to require critical infrastructure companies to report incidents to the government.
The TSA has indicated it’s moving to a public rulemaking for its emergency standards as soon as this year, and Ramadevanahalli has his work cut out for him.
“The regulator and the industry, they’re trying to drive towards the same thing,” he said.