Feds eye more oversight of pipelines after Colonial attack

Feds eye more oversight of pipelines after Colonial attack
© Getty Images

The Biden administration and Capitol Hill are taking a closer look at the security in place for critical oil and gas utilities following the Colonial Pipeline shutdown.

Some officials have indicated that the ransomware attack on a pipeline that provides almost half of the East Coast's energy may have unfolded as it did due to the relative lack of federal oversight of pipelines compared to other utilities.

“I think it’s pretty stunning that a company carrying 45 percent of gas and jet fuel to the East Coast was able to fall victim,” said Kiersten Todt, executive director of a White House cybersecurity commission during the Obama administration.


“It creates an urgent action to seriously look at how government and industry are working together to create minimum security standards,” Todt, who now serves as managing director of the Cyber Readiness Institute, told The Hill on Tuesday.

President BidenJoe BidenBiden authorizes up to 0M for Afghan refugees Poll: 73 percent of Democratic voters would consider voting for Biden in the 2024 primary Biden flexes presidential muscle on campaign trail with Virginia's McAuliffe MORE on Monday addressed the hack and said his administration would soon begin 100-day initiatives focused on improving the cybersecurity of natural gas pipelines, water and other critical sectors. Administration officials began a similar effort earlier this year focused on electricity security.

“My administration is committed to safeguarding our critical infrastructure, much of which is privately owned and managed like Colonial,” Biden said at the White House. “Private entities are making their own determinations on cybersecurity.”

The Colonial Pipeline hack has shined a light on long standing concerns around private industry owning and operating the vast majority of the nation’s critical infrastructure, often leading to less transparency for the federal government into security operations.

It has also raised concerns that the oil and gas sector has less oversight than other utilities.

In the wake of the ransomware attack on the pipeline — carried out by a criminal organization known as DarkSide, according to the FBI — officials are taking a closer look at the sector.


Two leaders of the Federal Energy Regulatory Commission (FERC), which regulates oil transportation pipelines, are calling for mandatory security standards for the industry.

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” FERC Chairman Richard Glick and Commissioner Allison Clements said in a joint statement Monday.

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” they said. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

When asked about potential mandatory standards, Homeland Security Secretary Alejandro MayorkasAlejandro MayorkasHillicon Valley: Amazon employees petition company to investigate discrimination allegations | ACLU calls for investigation into Alaska official over tweets | Electric cars to outsell combustion vehicles by 2036 Hillicon Valley: Democrats introduce bill to hold platforms accountable for misinformation during health crises | Website outages hit Olympics, Amazon and major banks Biden administration stokes frustration over Canada MORE told reporters at the White House on Tuesday that the administration was discussing the idea of some further oversight.

“Our conversations within the administration are ongoing and have been underway with respect to what measures we need to take both administratively and of course in a companion effort in the legislature to see how we can raise the cyber hygiene across the country,” Mayorkas said.

Energy Secretary Jennifer GranholmJennifer GranholmOVERNIGHT ENERGY: Western wildfires prompt evacuations in California, Oregon| House passes bill requiring EPA to regulate 'forever chemicals' in drinking water | Granholm announces new building energy codes Granholm announces new building energy codes Annual Energy Department report finds slight recovery in energy industry jobs MORE, whose agency is leading the federal response to the attack, told reporters that the incident “certainly is a reminder that we need to take a hard look at how we need to harden our necessary infrastructure, and that includes cyber threats.”

The Biden administration is not alone in seeking more federal oversight and security support for pipeline operators.

House Homeland Security Committee ranking member John KatkoJohn Michael KatkoSenators introduce bipartisan bill to secure critical groups against hackers House erupts in anger over Jan. 6 and Trump's role McCarthy yanks all GOP picks from Jan. 6 committee MORE (R-N.Y.) on Tuesday sent a letter to the Cybersecurity and Infrastructure Security Agency, one of the key federal entities investigating the attack, asking questions around its Pipeline Cybersecurity Initiative. The program is voluntary and allows for assessments of pipeline assets.

“In the wake of the Colonial Pipeline ransomware incident, ensuring the success, growth, and effectiveness of the Pipeline Cybersecurity Initiative is more important than ever before,” Katko wrote.

Several other key lawmakers also expressed support for more oversight of the sector and for investing more in federal cybersecurity generally.

“The Colonial Pipeline hack has once again exposed the glaring vulnerabilities in our transportation and energy sectors,” Rep. Jim LangevinJames (Jim) R. LangevinCybersecurity bills gain new urgency after rash of attacks Senate unanimously approves Jen Easterly to lead DHS cyber agency Hackers zero in on Tokyo Olympics MORE (D-R.I.), chairman of the House Armed Services Committee’s cybersecurity panel, said in a statement provided to The Hill. “To start, Congress must appropriate $400 million in additional funding for CISA, which plays such a crucial role defending American interests in cyberspace.”

“But I also want to hear from TSA, which is the federal agency in charge of our nation’s pipeline security, to learn more about their plans to prevent future incidents like this from ever happening again,” he said.

The Transportation Security Administration is one of several agencies with jurisdiction over interstate pipelines.

Rep. Yvette ClarkeYvette Diane ClarkeHouse passes host of bills to strengthen cybersecurity in wake of attacks Haiti Caucus: Forging path out of crisis will not be quick, but necessary to avoid false 'democracy' US lawmakers express shock at Haitian president's assassination MORE (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill in a separate statement Tuesday that she planned to hold hearings on the Colonial Pipeline ransomware attack and the federal response.

She noted that the attack “is a disturbing reminder of the potential for malicious cyber actors to wreak havoc on critical infrastructure. I look forward to a comprehensive investigation into the nature of this attack and swiftly bringing justice to all parties involved.”

Additionally, House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) and the panel's energy subcommittee chairman, Rep. Bobby RushBobby Lee RushHouse passes host of bills to strengthen cybersecurity in wake of attacks OVERNIGHT ENERGY: Democrats lay out vision for Civilian Climate Corps | Manchin to back controversial public lands nominee | White House details environmental justice plan Democrats lay out vision for Civilian Climate Corps MORE (D-Ill.), announced Tuesday that Granholm will testify before the full committee next week on issues including the Colonial Pipeline attack.

“We look forward to discussing the cyberattack on Colonial Pipeline, what steps must be taken to prevent future attacks, and the Energy Department’s overall plans to support our nation’s transition to a safer, more equitable, and more sustainable energy future," Pallone and Rush said in a joint statement.

Todt stressed that while she would support the oil and gas sector having more oversight and guidance on cybersecurity, securing all critical utilities against attacks was essential too, as all have increasingly come under attack.

“What this example shows us is that in fact there does need to be more close collaboration on what has to be done,” Todt said. “The point needs to be the same and the destination needs to be the same, there has to be a baseline level of cybersecurity.”