Cybersecurity

Feds eye more oversight of pipelines after Colonial attack

The Biden administration and Capitol Hill are taking a closer look at the security in place for critical oil and gas utilities following the Colonial Pipeline shutdown.

Some officials have indicated that the ransomware attack on a pipeline that provides almost half of the East Coast’s energy may have unfolded as it did due to the relative lack of federal oversight of pipelines compared to other utilities.

“I think it’s pretty stunning that a company carrying 45 percent of gas and jet fuel to the East Coast was able to fall victim,” said Kiersten Todt, executive director of a White House cybersecurity commission during the Obama administration.

“It creates an urgent action to seriously look at how government and industry are working together to create minimum security standards,” Todt, who now serves as managing director of the Cyber Readiness Institute, told The Hill on Tuesday.

President Biden on Monday addressed the hack and said his administration would soon begin 100-day initiatives focused on improving the cybersecurity of natural gas pipelines, water and other critical sectors. Administration officials began a similar effort earlier this year focused on electricity security.

“My administration is committed to safeguarding our critical infrastructure, much of which is privately owned and managed like Colonial,” Biden said at the White House. “Private entities are making their own determinations on cybersecurity.”

The Colonial Pipeline hack has shined a light on long standing concerns around private industry owning and operating the vast majority of the nation’s critical infrastructure, often leading to less transparency for the federal government into security operations.

It has also raised concerns that the oil and gas sector has less oversight than other utilities.

In the wake of the ransomware attack on the pipeline — carried out by a criminal organization known as DarkSide, according to the FBI — officials are taking a closer look at the sector.

Two leaders of the Federal Energy Regulatory Commission (FERC), which regulates oil transportation pipelines, are calling for mandatory security standards for the industry.

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” FERC Chairman Richard Glick and Commissioner Allison Clements said in a joint statement Monday.

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” they said. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

When asked about potential mandatory standards, Homeland Security Secretary Alejandro Mayorkas told reporters at the White House on Tuesday that the administration was discussing the idea of some further oversight.

“Our conversations within the administration are ongoing and have been underway with respect to what measures we need to take both administratively and of course in a companion effort in the legislature to see how we can raise the cyber hygiene across the country,” Mayorkas said.

Energy Secretary Jennifer Granholm, whose agency is leading the federal response to the attack, told reporters that the incident “certainly is a reminder that we need to take a hard look at how we need to harden our necessary infrastructure, and that includes cyber threats.”

The Biden administration is not alone in seeking more federal oversight and security support for pipeline operators.

House Homeland Security Committee ranking member John Katko (R-N.Y.) on Tuesday sent a letter to the Cybersecurity and Infrastructure Security Agency, one of the key federal entities investigating the attack, asking questions around its Pipeline Cybersecurity Initiative. The program is voluntary and allows for assessments of pipeline assets.

“In the wake of the Colonial Pipeline ransomware incident, ensuring the success, growth, and effectiveness of the Pipeline Cybersecurity Initiative is more important than ever before,” Katko wrote.

Several other key lawmakers also expressed support for more oversight of the sector and for investing more in federal cybersecurity generally.

“The Colonial Pipeline hack has once again exposed the glaring vulnerabilities in our transportation and energy sectors,” Rep. Jim Langevin (D-R.I.), chairman of the House Armed Services Committee’s cybersecurity panel, said in a statement provided to The Hill. “To start, Congress must appropriate $400 million in additional funding for CISA, which plays such a crucial role defending American interests in cyberspace.”

“But I also want to hear from TSA, which is the federal agency in charge of our nation’s pipeline security, to learn more about their plans to prevent future incidents like this from ever happening again,” he said.

The Transportation Security Administration is one of several agencies with jurisdiction over interstate pipelines.

Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill in a separate statement Tuesday that she planned to hold hearings on the Colonial Pipeline ransomware attack and the federal response.

She noted that the attack “is a disturbing reminder of the potential for malicious cyber actors to wreak havoc on critical infrastructure. I look forward to a comprehensive investigation into the nature of this attack and swiftly bringing justice to all parties involved.”

Additionally, House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) and the panel’s energy subcommittee chairman, Rep. Bobby Rush (D-Ill.), announced Tuesday that Granholm will testify before the full committee next week on issues including the Colonial Pipeline attack.

“We look forward to discussing the cyberattack on Colonial Pipeline, what steps must be taken to prevent future attacks, and the Energy Department’s overall plans to support our nation’s transition to a safer, more equitable, and more sustainable energy future,” Pallone and Rush said in a joint statement.

Todt stressed that while she would support the oil and gas sector having more oversight and guidance on cybersecurity, securing all critical utilities against attacks was essential too, as all have increasingly come under attack.

“What this example shows us is that in fact there does need to be more close collaboration on what has to be done,” Todt said. “The point needs to be the same and the destination needs to be the same, there has to be a baseline level of cybersecurity.”