The closure of the largest U.S. pipeline by a ransomware attack reveals a systemic vulnerability: Pipeline operators have no requirement to implement cyber defenses.
The U.S. government has had strong, mandatory cybersecurity protocols for most of the power grid for about ten years to prevent debilitating hackers or state agents.
But the country’s 4.3 million miles of dangerous oil, natural gas and pipelines are only voluntary measures, leaving safety in the hands of individual operators, experts said.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the growing number and sophistication of malicious cyber actors,” said Richard Glick, chairman of the Federal Energy Regulatory Commission (FERC).
Protections could include encryption requirements, multifactor authentication, backup systems, staff training, and network segmentation, so access to the most sensitive items can be restricted.
The FERC’s authority to impose cyber standards on the power grid came from a 2005 law, but it does not extend to pipes.
Colonial Pipeline, the largest oil pipeline in the United States and source for nearly half of the supply on the east coast, has been closed since Friday after an attack by FBI attributed to DarkSide, a group of cyber experts believe it is headquartered in Russia or Eastern Europe.
The fall has sparked rising gasoline prices in the southern United States and concerns about the widest shortage and possible price drop ahead of Memorial Day holidays.
Colonial did not immediately respond to a question about whether cybersecurity standards should be mandatory.
He American Petroleum Institute The pressure group said it was talking to the Transportation Security Administration (TSA), the Department of Energy and others, to understand the threat and mitigate the risk.
Cyber surveillance of the pipelines is the responsibility of the TSA, an office of the Department of Homeland Security (DHS), which has provided voluntary safety guidelines to pipeline companies.
The Office of General Responsibility, the Congressional oversight body, said in a 2019 report that the TSA only had six full-time employees in its pipeline safety branch until 2018, which limited reviews of the office on cybersecurity practices.
The TSA said it has since expanded its staff to 34 pipeline and cybersecurity sites. He did not immediately respond to a request for comment on whether he supports mandatory protections.
When reporters asked him if the Biden administration would set rules, DHS Secretary Alexander Mayorkas said he was discussing administrative and legislative options to “increase cyber hygiene across the country.”
President Joe Biden is waiting Congress will approve a $ 2.3 billion infrastructure package and pipeline requirements could be included in this legislation. But experts said there was no quick fix.
“The hardest part is who you tell them what to do and what you tell them to do,” said Christi Tezak, an analyst at ClearView Energy Partners.
Representatives of the United States, Fred Upton, a Republican, and Bobby Rush, a Democrat, said Wednesday that they have reintroduced legislation requiring the Department of Energy to ensure the safety of natural gas and hazardous pipelines. This legislation could be included in a broader bill.
The electricity grid is regulated by FERC and mainly organized into regional non-profit organizations. This made it relatively easy for lawmakers to introduce the 2005 law that allows the FERC to pass mandatory cyber measures.
A number of public and private companies own gas pipelines. They operate mostly independently and do not have a robust federal regulator.
Their supervision corresponds to different laws depending on what they carry. Products include crude, fuels, water, hazardous liquids, and potentially carbon dioxide for underground burial to control climate change. This diversity could make it difficult for lawmakers to impose a unified requirement.
Tristan Abbey, former aide to Republican Sen. Lisa Murkowski who worked at the White house former President Donald Trump’s national security council said Congress is the best and worst way to address the problem.
“Legislation may be needed when jurisdiction is ambiguous and agencies have no resources,” said Abbey, now president of Comarus Analytics LLC.
But a bill should not be seen as a magic wand, he said.
“Rules may be part of the answer, but federal regulations must match state requirements without stifling innovation.”