(Reuters) – The shutdown of the largest US fuel line by a ransomware attack highlights a systemic vulnerability: Pipeline operators have no requirement to implement cyber defense.
The US government has had robust, mandatory cyber security protocols for most of the power grid for about ten years to prevent debilitating hacks from criminals or government actors.
But the country's 2.7 million miles of oil, natural gas and hazardous liquid pipes have only voluntary measures, leaving the safety of individual operators, experts said.
"Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malicious cyber actors," said Richard Glick, chairman of the Federal Energy Regulatory Commission.
Although no specific action proposal has been proposed, protection may include requirements for encryption, multifactor authentication, backup systems, network training and segmentation so that access to the most sensitive elements can be restricted.
The FERC's power to impose cyber standards on the grid came from a 2005 law, but it does not cover pipelines.
The Colonial Pipeline, the largest U.S. oil production line and the source of nearly half of the supply on the East Coast, has been shut down since Friday following a ransomware attack attributed to the FBI by DarkSide, a group of cyber experts believed to be based in Russia or Eastern Europe.
The outage has led to higher gasoline prices in the southern United States and concerns about major shortages and potential price developments ahead of the Memorial Day holiday.
Colonial did not immediately respond to a question as to whether cybersecurity standards should be mandatory.
The Petroleum Institute's lobby group said they spoke with the Transportation Security Administration, the Energy Department and others to understand the threat and reduce the risk. [1
Cyber surveillance of pipelines belongs to the TSA, an office of the Department of Homeland Security, which has provided voluntary security guidelines to pipeline companies.
However, a report from the 2019 General Responsibility Office, the congressional watchdog, said that the TSA only had six full-time employees in its pipeline security branch until 2018, which limited the office's review of cyber security practices.
The TSA did not immediately respond to a request for comment on current staffing and whether it recommends mandatory measures for pipelines.
Asked by journalists if the Biden administration would impose rules, DHS secretary Alejandro Mayorkas said it was discussing administrative and legislative options to "increase cyber hygiene across the country."
President Joe Biden hopes Congress will approve an infrastructure package of $ 2.3 billion, and pipeline requirements can be added to that legislation. But experts said there was no quick fix.
"The most difficult thing is who do you tell them what to do and what do you tell them to do," says Christi Tezak, an analyst at ClearView Energy Partners.
The power grid is regulated by the FERC and is mostly organized into non-profit regional organizations. This made it relatively easy for legislators to present the 2005 law allowing the FERC to approve mandatory cyber measures.
A number of public and private companies own pipelines. They operate mostly independently and lack a robust federal regulator.
Their supervision falls under different laws depending on what they have. The products include crude oil, fuels, water, hazardous liquids and – potentially – carbon dioxide for underground burial to control climate change. This diversity can make it more difficult for legislators to introduce a uniform requirement.
Tristan Abbey, a former assistant to Republican Senate Lisa Murkowski who served on the White House National Security Council under former President Donald Trump, said Congress is both the best and the worst way to tackle the problem.
"Legislation may be necessary when jurisdiction is ambiguous and agencies lack resources," said Abbey, now CEO of Comarus Analytics LLC.
But a bill should not be seen as a magic wand, he said. "Standards may be part of the answer, but federal regulations must be included in government requirements without stifling innovation," he said.