Analysis: Cyberattack exposes lack of required defenses on U.S.
pipelines
Send a link to a friend
[May 12, 2021] By
Timothy Gardner
WASHINGTON (Reuters) - The shutdown of the
biggest U.S. fuel pipeline by a ransomware attack highlights a systemic
vulnerability: Pipeline operators have no requirement to implement cyber
defenses.
The U.S. government has had robust, compulsory cybersecurity protocols
for most of the power grid for about 10 years to prevent debilitating
hacks by criminals or state actors.
But the country's 2.7 million miles (4.3 million km) of oil, natural gas
and hazardous liquid pipelines have only voluntary measures, which
leaves security up to the individual operators, experts said.
"Simply encouraging pipelines to voluntarily adopt best practices is an
inadequate response to the ever-increasing number and sophistication of
malevolent cyber actors," Richard Glick, the chairman of the Federal
Energy Regulatory Commission (FERC), said.
While no proposal of specific measures has been put forward, protections
could include requirements for encryption, multifactor authentication,
backup systems, personnel training and segmenting networks so access to
the most sensitive elements can be restricted.
FERC's authority to impose cyber standards on the electric grid came
from a 2005 law but it does not extend to pipelines.
Colonial Pipeline, the largest U.S. oil products pipeline and source of
nearly half the supply on the East Coast, has been shut since Friday
after a ransomware attack the FBI attributed to DarkSide, a group cyber
experts believe is based in Russia or Eastern Europe.
The outage has led to higher gasoline prices in the U.S. South and
worries about wider shortages and potential price gouging ahead of the
Memorial Day holiday.
Colonial did not immediately respond to a query about whether
cybersecurity standards should be mandatory.
The American Petroleum Institute lobbying group said it was talking with
the Transportation Security Administration (TSA), the Energy Department
and others to understand the threat and mitigate risk.
THIN STAFFING
Cyber oversight of pipelines falls to the TSA, an office of the
Department of Homeland Security (DHS), which has provided voluntary
security guidelines to pipeline companies.
But a 2019 report by the General Accountability Office, the
congressional watchdog, said that the TSA only had six full-time
employees in its pipeline security branch through 2018, which limited
the office's reviews of cybersecurity practices.
[to top of second column] |
Holding tanks are seen in an aerial photograph at Colonial
Pipeline's Dorsey Junction Station in Woodbine, Maryland, U.S. May
10, 2021. REUTERS/Drone Base
The TSA did not immediately respond to a request for comment on current staffing
and whether it recommends mandatory measures for pipelines.
When asked by reporters whether the Biden administration would put in place
rules, DHS Secretary Alejandro Mayorkas said it was discussing administrative
and legislative options to "raise the cyber hygiene across the country."
President Joe Biden is hoping Congress will pass a $2.3 billion infrastructure
package, and pipeline requirements could be put into that legislation. But
experts said there was no quick fix.
"The hard part is who do you tell what to do and what do you tell them to do,"
Christi Tezak, an analyst at ClearView Energy Partners, said.
The power grid is regulated by FERC, and mostly organized into nonprofit
regional organizations. That made it relatively easy for legislators to put
forward the 2005 law that allows FERC to approve mandatory cyber measures.
A range of public and private companies own pipelines. They mostly operate
independently and lack a robust federal regulator.
Their oversight falls under different laws depending on what they carry.
Products include crude oil, fuels, water, hazardous liquids and - potentially -
carbon dioxide for burial underground to control climate change. This diversity
could make it harder for legislators to impose a unified requirement.
Tristan Abbey, a former aide to Republican Senator Lisa Murkowski who worked at
the White House national security council under former President Donald Trump,
said Congress is both the best and worst way to tackle the problem.
"Legislation may be necessary when jurisdiction is ambiguous and agencies lack
resources," said Abbey, now president of Comarus Analytics LLC.
But a bill should not be seen as a magic wand, he said. "Standards may be part
of the answer, but federal regulations need to mesh with state requirements
without stifling innovation."
(Reporting by Timothy Gardner; Editing by Cynthia Osterman)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |