Hack Prompts New Security Regulations for US Pipelines

Hack Prompts New Security Regulations for US Pipelines
Holding tanks are pictured at Colonial Pipeline's Linden Junction Tank Farm in Woodbridge, N.J., on May 10, 2021. (Hussein Waaile/Reuters)
The Associated Press

WASHINGTON—The federal government will issue cybersecurity regulations in the coming days for U.S. pipeline operators following a ransomware attack that led to fuel shortages across much of the Eastern Seaboard.

The Transportation Security Administration (TSA), which oversees the nation’s network of pipelines, is expected to issue a security directive this week that will address some of the issues raised by the Colonial Pipeline shutdown, a U.S. official said Tuesday.

The directive will include a requirement that pipeline companies report cyber incidents to the federal government, said the official, speaking on condition of anonymity because the proposal has not yet been publicly released.

It addresses, to an extent, the ransomware attack that led to the shutdown of the pipeline this month, but it also reflects a broader Biden administration focus on cybersecurity after a series of damaging intrusions by overseas hackers.

The Department of Homeland Security declined to confirm any specifics of the pending directive, issuing a statement that said TSA and another component of the agency, the Cybersecurity and Infrastructure Agency, are working with private companies to address cyber threats. “The Biden Administration is taking further action to better secure our nation’s critical infrastructure,” it said.

The directive, first reported by The Washington Post, is expected to prompt concern, if not outright opposition, from private operators wary of increased government regulation.

The American Petroleum Institute, which represents the oil and gas industry, said in a statement that its members are working with the administration to develop reporting policies and that any new regulations should include “reciprocal information sharing and liability protections.”

Mark Montgomery, a senior fellow at the Foundation for the Defense of Democracies and former executive director of the congressionally mandated Cyberspace Solarium Commission, said federal officials have told him the pipeline order will have two stages.

The first will immediately mandate that any cybersecurity incidents are reported to the federal government, while the second, coming later, would require that pipeline companies complete a self-assessment of their cybersecurity systems for known vulnerabilities.

“It’s a good step,” Montgomery said. “But we need this applied more broadly so that all our national critical infrastructure is at a higher level.”

Homeland Security Secretary Alejandro Mayorkas delivers remarks while visiting a FEMA community vaccination center in Philadelphia, Pa., on March 2, 2021. (Mark Makela/Getty Images)
Homeland Security Secretary Alejandro Mayorkas delivers remarks while visiting a FEMA community vaccination center in Philadelphia, Pa., on March 2, 2021. (Mark Makela/Getty Images)

DHS Secretary Alejandro Mayorkas, speaking earlier at a news conference about the recovery in domestic air travel as the pandemic eases in the United States, did not mention the security directive but said his agency was working with the private sector to improve “cyber hygiene” to prevent attacks and ensure that businesses can more easily withstand them if their defenses fail.

“I have spoken well before the pipeline cyber attack that ransomware is one of the greatest cyber security threats that we face in the United States,” Mayorkas said.

There are more than 2.7 million miles of pipeline transporting oil, other liquids, and natural gas around the United States. Members of Congress have expressed concern about the potential risk to this network, which has grown in recent years with increasing reliance on computerized systems and electronic data that are vulnerable to cyber attacks and intrusion.

The extent of the risk became apparent when Colonial Pipeline was targeted in a ransomware attack that prompted the company to shut down a system that delivers about 45 percent of the gasoline consumed on the East Coast. The halt to fuel supplies for nearly a week led to panic-buying and shortages at gas stations from Washington, D.C., to Florida.

The company, based in Alpharetta, Georgia, later disclosed it paid a ransom of $4.4 million to retrieve access to its data from the gang of hackers who broke into its computer systems.

The FBI has linked the ransomware to a Russian-speaking criminal syndicate known as DarkSide. President Joe Biden has said the administration has strong reason to believe the criminals are living in Russia.

“While the Colonial Pipeline attack shows there is much more work to be done to protect the nation’s pipelines and other critical infrastructure from cyber attacks, this TSA security directive is a major step in the right direction towards ensuring that pipeline operators are taking cybersecurity seriously and reporting any incidents immediately,” said Rep. Bennie Thompson, a Mississippi Democrat who chairs the House Homeland Security Committee.

By Ben Fox