Responding to the costly cybersecurity breach of the Colonial pipeline, the pipeline sector received the first governmental regulation. Issued at the latter part of last week, the legislation is part of the Biden camp’s attempt to shore up the national infrastructure after the Colonial shutdown had drastic effects on the national economy.
Spawning a computer lockdown and a demand for ransom, the suspect is believed to have been a Russian criminal organization. Although the pipeline operator reinstated operations within a five day period, the attack became infamous as the most impactful cyberattack in the history of the United States.
Responding to numerous service stations reporting both a shortage and outage of fuel supply, an emergency order was issued, allowing the trucking industry leeway for its drivers to work overtime. Fuel was transported to the locations in need. Joseph Blount, Colonial CEO, answered the demand for the $4.4 million ransom with payment but indicated that pipeline restoration was so sluggish that a third-party contractor was hired to spearhead the process.
Federal Government Steps In
Prior to the new regulation taking root, little federal oversight existed in mandating the requirements for cybersecurity measures, all while the Department of Homeland (DHS) Security’s Cybersecurity and Infrastructure Security Agency provides infrastructure guidance to U.S. companies.
With the new regulations comes the demand for more departmental-specific personnel. Approximately 100 pipeline operators will now be required to employ a cybersecurity coordinator at all times. Following a similar course of action taken by OSHA, any breach must be reported within 12 hours to the Cybersecurity and Infrastructure Security Agency. Failure to comply, as indicated by a senior DHS official who requested anonymity, could yield fines starting at $7,000.
While the legislation is new and appears to drop like an anvil on pipeline operators, its effect and validation have been both studied and scrutinized. Robert Cattanach, a partner with the international law firm of Dorsey and Whitney, previously served the United States Department of Justice as a trial attorney. He currently practices in the area of regulatory litigation, including cybersecurity. Having reviewed the directive, he feels more work is needed, but it still provides a sufficient start.
“As a result of the industry’s earlier opposition to government regulation, pipeline cyber defenses currently consist only of those self-imposed by that industry sector, and some of the now-mandatory steps are long overdue, such as designating a chief information security officer with a 24/7 direct line to TSA and the Cybersecurity and Infrastructure Security Agency (CISA) to report an attack,” said Cattanach. “The directive further requires each pipeline owner and operator to review their systems according to existing cyber guidelines (more specific regulations are still being developed), identify any gaps, and determine what steps are necessary to remediate current cyber risks. The Directive requires that companies report the results to TSA and CISA within 30 days,”
This monumental legislative action finds traction due to growing criticism and concern regarding how the government should hold companies accountable for how they protect infrastructure components against the risk of cyber threats. Since the Colonial incident, the Biden administration has targeted the lack of regulations regarding the oil and gas industry and applicable cybersecurity regulations.
With the push of new regulations, criticism is expected. The Energy Department resides over cyber regulations for electric providers, while the DHS is the enforcing agency for both physical and cybersecurity in chemical plants. Under the new regulation, a pipeline carrying chemicals or a utility company that is the owning entity of natural gas pipelines and electric plants could potentially be required to adhere to more than one set of cyber regulations.
“Any cyber standards that we implement must be harmonious with the other security regulations currently applicable to industry,” said Brian Harrell, Assistant Secretary for Infrastructure Protection with the DHS. “Let’s not have six sets of books that regulate one way on Monday and another way on Tuesday.”
Future Security Enhancements
Rooted within the DHS, the Transportation Security Administration (TSA) directly enforces pipeline security regulations. Scrutiny has surfaced as TSA finds challenge with a lack of staff adequately trained to perform auditing and enforcement duties. With a lack of staff, DHS plans to utilize CISA, the cybersecurity agency of the department, and have them work in conjunction with the TSA to enforce new rules and regulations. Additional staff is expected to be hired as well.
The TSA is a great organization that has kept the flying public safe over the years,” said Harrell. “However, the TSA does not currently have the expertise or resources to manage a robust mandatory pipeline security compliance regime.”
These concerns weigh heavily with the expectation of additional direction and future of pipeline cybersecurity federal mandates. While additional legislation is planned, much-needed staff will have to be secured to ensure sufficient adherence.
“The next and more meaningful phase of cyber regulation will include escalating penalties for companies that fail to take corrective action, and more prescriptive regulatory requirements, resulting in significantly greater scrutiny of the pipeline industry by government regulators. Finding the resources to conduct a meaningful review of this industry sector, however, will be challenging. TSA historically has not focused on either cybersecurity or pipelines, and is expected to rely heavily on CISA for the cyber expertise component; it remains unclear how TSA will develop the necessary expertise to oversee the pipeline industry itself,” said Cattanach.