White House ruffles pipeline sector with cyber rules

US president Joe Biden has rolled out requirements for oil and gas pipelines to boost their defences against cyberattacks, frustrating operators who see the mandates as poorly designed and technically infeasible in some cases.

The fast-tracked push for compliance with dozens of new requirements has distressed pipeline firms, who have grown accustomed to a hands-off government oversight structure that afforded them flexibility to decide which cybersecurity precautions to employ. The industry says the orders could require them to replace key equipment, sometimes on timelines that coincide with the winter heating season, when gas pipelines run close to maximum capacity.

But the White House is holding firm on what it acknowledges are "very aggressive" compliance deadlines, as it tries to avoid a repeat of the type of cyberattack that shut the 2.5mn b/d Colonial Pipeline in May and led to fuel shortages. Washington last month alleged that state-sponsored Chinese hackers penetrated 13 US oil and gas pipelines in 2011-13, in an "intrusion campaign" that was probably intended to help Beijing develop its cyberattack capabilities. Given the risk of more attacks by cybercriminals and state-sponsored hackers, "we do think the security issue is immediate and requires immediate action", security agency TSA administrator David Pekoske told lawmakers in July.

The TSA has so far issued two cybersecurity orders for the 100 most "critical" oil and gas pipelines in the US. The first focuses on information gathering, while the second lays out specific requirements and took effect on 26 July. The contents of the second order are confidential, but industry officials say it includes 80 prescriptive rules with deadlines ranging from weeks to months. Washington tapped special authorities to fast-track the order, avoiding the time-consuming public comment process required for issuing most federal regulations.

But industry officials say that the TSA's haste to issue rules meant it relied upon generic regulations that are, in some cases, infeasible for pipelines. "It is requiring capabilities of technology that does not have those capabilities," Association of Oil Pipe Lines vice-president of government relations John Stoody says. A broader industry concern is that these prescriptive regulations are tailored to attacks that have already occurred, rather than newer tactics. Some pipeline industry officials have relayed these issues to their representatives. "They say that the directive could require them to replace thousands of pieces of equipment all over the country," Tennessee senator Marsha Blackburn says.

Pipeline industry officials are now making the case for the TSA to revise the second security order and offer additional time to comply. Gas pipeline group INGAA says the directive would be improved by allowing operators to base cybersecurity protections on specific pipelines' configurations and risks.

Need for speed

The White House says it is aware of industry concerns but sees them as manageable, given that the flexibility in its directives allows operators to prepare alternative compliance procedures. Government officials say they tried to incorporate industry feedback but at some point felt they had to act. "I would submit that speed is really important here," TSA's Pekoske says. Some Republicans who are keen to avoid fuel supply disruptions welcome this approach. "I think government should be nimble in situations like this," Mississippi senator Roger Wicker says.

The US is pursuing further cybersecurity initiatives. Biden signed a memorandum on 28 July that encourages firms with industrial control systems to voluntarily boost cyber defences. And a huge infrastructure bill under debate in Congress offers $50bn to make infrastructure more resilient to climate change and cyberattacks.

By Chris Knight