SPONSORED:

Feds eye more oversight of pipelines after Colonial attack

Feds eye more oversight of pipelines after Colonial attack
© Getty Images

The Biden administration and Capitol Hill are taking a closer look at the security in place for critical oil and gas utilities following the Colonial Pipeline shutdown.

Some officials have indicated that the ransomware attack on a pipeline that provides almost half of the East Coast's energy may have unfolded as it did due to the relative lack of federal oversight of pipelines compared to other utilities.

“I think it’s pretty stunning that a company carrying 45 percent of gas and jet fuel to the East Coast was able to fall victim,” said Kiersten Todt, executive director of a White House cybersecurity commission during the Obama administration.

ADVERTISEMENT

“It creates an urgent action to seriously look at how government and industry are working together to create minimum security standards,” Todt, who now serves as managing director of the Cyber Readiness Institute, told The Hill on Tuesday.

President BidenJoe BidenMellman: Trump voters cling to 2020 tale FDA authorizes another batch of J&J vaccine Cotton warns of China collecting athletes' DNA at 2022 Olympics MORE on Monday addressed the hack and said his administration would soon begin 100-day initiatives focused on improving the cybersecurity of natural gas pipelines, water and other critical sectors. Administration officials began a similar effort earlier this year focused on electricity security.

“My administration is committed to safeguarding our critical infrastructure, much of which is privately owned and managed like Colonial,” Biden said at the White House. “Private entities are making their own determinations on cybersecurity.”

The Colonial Pipeline hack has shined a light on long standing concerns around private industry owning and operating the vast majority of the nation’s critical infrastructure, often leading to less transparency for the federal government into security operations.

It has also raised concerns that the oil and gas sector has less oversight than other utilities.

In the wake of the ransomware attack on the pipeline — carried out by a criminal organization known as DarkSide, according to the FBI — officials are taking a closer look at the sector.

ADVERTISEMENT

Two leaders of the Federal Energy Regulatory Commission (FERC), which regulates oil transportation pipelines, are calling for mandatory security standards for the industry.

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” FERC Chairman Richard Glick and Commissioner Allison Clements said in a joint statement Monday.

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” they said. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

When asked about potential mandatory standards, Homeland Security Secretary Alejandro MayorkasAlejandro MayorkasBiden expanding program for allowing young Central Americans into US US expanding work permits, deportation relief for crime victims Democrats press ICE, DHS to not re-detain migrants released during pandemic MORE told reporters at the White House on Tuesday that the administration was discussing the idea of some further oversight.

“Our conversations within the administration are ongoing and have been underway with respect to what measures we need to take both administratively and of course in a companion effort in the legislature to see how we can raise the cyber hygiene across the country,” Mayorkas said.

Energy Secretary Jennifer GranholmJennifer GranholmOvernight Energy: Schumer to trigger reconciliation process Wednesday | Bipartisan bill would ban 'forever chemicals' in cosmetics | Biden admin eyes step toward Trump-era proposal for uranium reserve Biden administration eyes step toward Trump-era proposal for uranium reserve OVERNIGHT ENERGY: Haaland reportedly recommends full restoration of monuments Trump altered | EPA to reinstate air pollution panel disbanded under Trump | State appeals court upholds approval of Minnesota pipeline MORE, whose agency is leading the federal response to the attack, told reporters that the incident “certainly is a reminder that we need to take a hard look at how we need to harden our necessary infrastructure, and that includes cyber threats.”

The Biden administration is not alone in seeking more federal oversight and security support for pipeline operators.

House Homeland Security Committee ranking member John KatkoJohn Michael KatkoColonial Pipeline may use recovered ransomware attack funds to boost cybersecurity In shot at Manchin, Pelosi calls for Senate to strengthen voting rights Democrats debate shape of new Jan. 6 probe MORE (R-N.Y.) on Tuesday sent a letter to the Cybersecurity and Infrastructure Security Agency, one of the key federal entities investigating the attack, asking questions around its Pipeline Cybersecurity Initiative. The program is voluntary and allows for assessments of pipeline assets.

“In the wake of the Colonial Pipeline ransomware incident, ensuring the success, growth, and effectiveness of the Pipeline Cybersecurity Initiative is more important than ever before,” Katko wrote.

Several other key lawmakers also expressed support for more oversight of the sector and for investing more in federal cybersecurity generally.

“The Colonial Pipeline hack has once again exposed the glaring vulnerabilities in our transportation and energy sectors,” Rep. Jim LangevinJames (Jim) R. LangevinLawmakers urge Biden to be tough on cybersecurity during summit with Putin Colonial Pipeline may use recovered ransomware attack funds to boost cybersecurity New Russian hacks spark calls for tougher Biden actions MORE (D-R.I.), chairman of the House Armed Services Committee’s cybersecurity panel, said in a statement provided to The Hill. “To start, Congress must appropriate $400 million in additional funding for CISA, which plays such a crucial role defending American interests in cyberspace.”

“But I also want to hear from TSA, which is the federal agency in charge of our nation’s pipeline security, to learn more about their plans to prevent future incidents like this from ever happening again,” he said.

The Transportation Security Administration is one of several agencies with jurisdiction over interstate pipelines.

Rep. Yvette ClarkeYvette Diane ClarkeTSA working on additional pipeline security regulations following Colonial Pipeline hack School districts struggle to defend against rising ransomware attacks Hillicon Valley: Democrats urge Facebook to abandon 'Instagram for kids' plan | 'Homework gap' likely to persist after pandemic MORE (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill in a separate statement Tuesday that she planned to hold hearings on the Colonial Pipeline ransomware attack and the federal response.

She noted that the attack “is a disturbing reminder of the potential for malicious cyber actors to wreak havoc on critical infrastructure. I look forward to a comprehensive investigation into the nature of this attack and swiftly bringing justice to all parties involved.”

Additionally, House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) and the panel's energy subcommittee chairman, Rep. Bobby RushBobby Lee RushGranholm expresses openness to pipeline cyber standards after Colonial attack Feds eye more oversight of pipelines after Colonial attack Shining a light on COINTELPRO's dangerous legacy MORE (D-Ill.), announced Tuesday that Granholm will testify before the full committee next week on issues including the Colonial Pipeline attack.

“We look forward to discussing the cyberattack on Colonial Pipeline, what steps must be taken to prevent future attacks, and the Energy Department’s overall plans to support our nation’s transition to a safer, more equitable, and more sustainable energy future," Pallone and Rush said in a joint statement.

Todt stressed that while she would support the oil and gas sector having more oversight and guidance on cybersecurity, securing all critical utilities against attacks was essential too, as all have increasingly come under attack.

“What this example shows us is that in fact there does need to be more close collaboration on what has to be done,” Todt said. “The point needs to be the same and the destination needs to be the same, there has to be a baseline level of cybersecurity.”