US pipeline hack revives cybersecurity focus: Update

Adds comments from FERC chairman.

A ransomware attack that halted operations on the 5,500-mile Colonial Pipeline fuel system has reignited debate about whether the federal government should change its cybersecurity oversight for critical energy infrastructure.

The pipeline attack highlights the need for the US to set mandatory cybersecurity standards for oil and gas pipelines, US Federal Energy Regulatory Commission (FERC) chairman Richard Glick and commissioner Allison Clements said today. Standards are needed to protect infrastructure on which the US depends.

"It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector," the two Democratic FERC appointees said. "Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors."

Federal oversight of pipeline security resides primarily with the Transportation Security Administration (TSA), which employed roughly 50,000 airport screeners but just six full-time staff in its Pipeline Security Branch as of fiscal year 2018. But critics argue TSA lacks the expertise to adequately protect pipelines. FERC member Neil Chatterjee, a Republican, on 8 May said the US should "rethink the TSA voluntary approach to cybersecurity."

Cybersecurity experts have warned for years that the government and private companies are failing to adequately protect US critical energy infrastructure, given the risk that a major attack could disrupt or damage facilities for weeks or months. TSA has developed security guidelines for pipeline operators but they remain voluntary.

Pipeline operators have resisted mandatory cybersecurity rules because of concerns they could go out of date quickly. The industry has also warned that proposals to shift pipeline security oversight outside of the TSA, which is part of the US Department of Homeland Security, could create more problems than it solves if it subjects pipelines to overlapping standards.

"What would not be helpful and what we want to avoid no matter what is multiple agencies with overlapping or conflicting authorities," an industry official said.

Pipeline industry groups said they were waiting for more details on the attack. The Association of Oil Pipelines said it would engage in policy discussions as it learns more about what happened and the "lessons for industry to be learned." The Interstate Natural Gas Association of America (INGAA) said it would work with federal agencies to strengthen cybersecurity.

"To be effective, government programs and standards must be nimble enough to adapt to continually-evolving threats, leveraging public-private collaboration and two-way information sharing," INGAA said.

The TSA's Pipeline Security Branch came under criticism in 2018, when the US Government Accountability Office issued a report raising concerns about its staffing levels and limited expertise in cybersecurity. The TSA said today it has added staff and worked with pipeline operators on cybersecurity, but it declined to answer questions about staffing levels.

The federal government is taking some steps to encourage companies to harden their systems against attacks. FERC late last year proposed rules to offer rate-based incentives for public electric utilities that make investments in cybersecurity, such as installing new hardware, expanding worker training and conducting risk assessments.

President Joe Biden said his administration was taking the ransomware attack seriously and aimed to disrupt hacking networks, as he argued that his $2.3 trillion infrastructure plan would offer funds to help "safeguard" critical infrastructure. White House officials today said they were looking into whether to provide guidance to companies on whether to pay ransom to hackers.

"Typically that is a private sector decision, and the administration has not offered further advice at this time," US deputy national security adviser for cyber Anne Neuberger said. "Given the rise in ransomware, that is one area we are definitely looking at now, to say what should be the government's approach to ransomware actors and ransoms overall."

By Chris Knight