The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast’s fuel supply this month — an incident that highlighted the vulnerability of critical infrastructure to online attacks.
The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
The ransomware attack that led Colonial Pipeline to shutter its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation’s capital. Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel. Colonial’s chief executive has said the company paid $4.4 million to foreign hackers to release its systems.
The cyberattack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes — or ensuring they do not fail.
TSA, though, mostly focused on physical security of pipelines, safeguarding them against terrorist attacks or sabotage. It was only in 2010 that the first set of cyber-related guidelines was issued. The guidelines were updated in 2018 but still fall far short of what many experts say is needed.
Most critical infrastructure sectors — whether dams, health care or wastewater systems — do not have mandatory cyber standards. A handful do, including bulk electric power and nuclear plants. A congressional effort to institute mandatory requirements in 2012 failed in the face of strong U.S. Chamber of Commerce opposition.
TSA’s new security directive will require pipeline companies to report cyber incidents to TSA and CISA and to have a cyber official — such as a chief information security officer — with a 24/7 direct line to TSA and CISA to report an attack. It will also require companies to assess the security of their systems as measured against existing cyber guidelines; fixing any gaps is currently voluntary.
“This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes,” said a senior DHS official, who spoke on the condition of anonymity because the directives have not been issued yet.
The new rules, expected in the coming weeks, will require companies to correct any problems and address shortcomings or face financial penalties, officials said. They will represent a marked shift for TSA, which has relied on collaboration with, rather than mandatory requirements on, pipeline companies.
The current TSA guidelines lay out security measures, such as reviewing remote network connections periodically. A preferable approach, experts say, would be “performance-based,” specifying for instance, that the goal of reviewing such connections is to ensure a hacker cannot break into an industrial control system. The idea is to specify key objectives for the company, allowing it to innovate and keep up with technology to accomplish the goals, experts said.
The regulatory push comes amid growing debate over how the government should hold companies accountable for securing critical pieces of U.S. infrastructure against cyber threats. Since the attack on Colonial Pipeline, the Biden administration and members of Congress have openly criticized the lack of strict cybersecurity regulations for gas and oil pipeline operators, while industry representatives have argued for a cautious approach to new regulations.
TSA’s plan to make cybersecurity standards mandatory could mollify some critics who have argued that voluntary standards failed to incentivize companies to invest adequately in security. The TSA’s planned rulemaking, however, is likely to draw criticism from some lawmakers who say the agency lacks the expertise and resources to take on a bigger policing role that is more suited to the Energy Department.
In particular, the patchwork of federal regulations overseen by disparate agencies, including the Energy Department and Coast Guard, is likely to become more intricate with TSA joining the mix. Already, the Energy Department oversees cyber regulations for bulk electric providers, and DHS enforces rules for physical and cybersecurity in chemical plants. So now, a pipeline carrying chemicals, or a utility company that owns natural gas pipelines and electric plants, could be required to obey two sets of cyber rules.
“Any cyber standards that we implement must be harmonious with the other security regulations currently applicable to industry,” said Brian Harrell, a former DHS assistant secretary for infrastructure protection. “Let’s not have six sets of books that regulate one way on Monday, and another way on Tuesday.”
There are more than 2.7 million miles of pipeline in the United States. Roughly 216,000 miles carry hazardous liquids including crude oil, diesel fuel, gasoline and jet fuel. Currently there are more than 3,000 pipeline companies.
Concern has risen over the years about the pipeline system’s vulnerability to cyberattacks. A major campaign of cyber intrusions against natural gas pipeline companies in 2011 and 2012 spooked the industry, and led to efforts by TSA and the industry to update the standards.
But their voluntary nature meant, for instance, that a company could decline TSA’s offer to review its security regime. In 2018, the agency began conducting “validated architecture design reviews,” an effort to increase the effectiveness of companies’ cyber response capabilities. The reviews were created in partnership with CISA and the Idaho National Laboratory.
One challenge TSA will face as a regulator is a lack of trained staff to handle audits and enforcement. In 2014, its pipeline security division had dwindled to one staffer, and in 2019, officials testified, it still had only five. To rectify that, DHS is planning to have CISA, the department’s cybersecurity agency, work with TSA to enforce the new rules, officials said. They are also planning to hire more staff: 16 at TSA and 100 at CISA.
“The TSA is a great organization that has kept the flying public safe over the years,” Harrell said. “However, the TSA does not currently have the expertise or resources to manage a robust mandatory pipeline security compliance regime.”
Congress, he said, needs to “step up to the plate” and give TSA the resources it needs to be an effective regulator.
Industry has for some time seen the regulatory writing on the wall. In anticipation, some groups, such as the American Gas Association and American Petroleum Institute, have collaborated on voluntary standards to prime their members, industry representatives said.
The Colonial Pipeline attack made the prospect of regulation all the more likely.
In the incident’s wake, the chairman of the Federal Energy Regulatory Commission, Richard Glick, called for mandatory cybersecurity standards. FERC, in coordination with the private sector North American Electric Reliability Corporation, has enforced mandatory cyber standards for the bulk electric system. “It’s time,” he said, for the pipeline sector to have similar standards.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” he said.
Energy Secretary Jennifer Granholm recently testified that mandatory cyber rules for pipelines may be needed. And last week, AGA’s board of directors approved a resolution to support “reasonable” cybersecurity regulations.
Leaders of the House Energy and Commerce Committee have argued that the Energy Department, not TSA, is the best agency to oversee pipeline security, and they recently reintroduced a measure that they said would strengthen the department’s ability to respond to physical and cybersecurity threats.
But counterparts on the House Homeland Security Committee argue that TSA knows pipelines, while Energy does not. They reintroduced a measure that would make clear that TSA oversees pipeline security. Moreover, they note, TSA, unlike the Energy Department, already has the authority to set and enforce mandatory rules.
Douglas MacMillan contributed to this report.