Fuel deliveries to the east coast of the United States have been brought to a standstill by cybercriminals that have gained access to Colonial Pipelines’ networks and forced the company to shut down its distribution system. This attack comes on top of a ransomware attack on natural gas infrastructure last year and an explicit warning [PDF] from the Director of National Intelligence in 2019 that China had the ability to disrupt our pipeline infrastructure.
As I have argued before, after two decades of trying to make a voluntary partnership with industry work, this incident demonstrates that neither thoughts, prayers, nor information sharing is sufficient. It is time for the federal government to exercise its existing authority to regulate the cybersecurity of pipelines.
Under the Aviation and Transportation Security Act of 2001 that created the Transportation Security Administration (TSA) and a 2007 law that implemented aspects of the 9/11 Commission Recommendations, the TSA already has the authority necessary to regulate [PDF] pipeline cybersecurity. Yet for twenty years the agency has chosen to take a voluntary approach despite ample evidence that market forces alone are insufficient.
The Trump administration actually reversed long-standing policy positions that favored market forces in cybersecurity matters, arguing in the Department of Homeland Security’s 2018 Cybersecurity Strategy [PDF] that it should “smartly leverage its regulatory authorities in tailored ways.”
To this end, in 2020, DHS and the Department of Transportation (DOT) signed a memorandum [PDF] on jointly managing cybersecurity and other risks to pipelines. The memorandum called for reviewing “…the adequacy of existing standards in the private and public sector, identifying any gaps that should be addressed through rulemaking, guidelines, or directives.”
If that review of the adequacy was not completed by last Friday, the ransom operators behind the Colonial Pipeline attack have done that job for them.
The TSA should move quickly to establish a regulatory regime in cooperation with the DOT with the goal of producing interim requirements based on existing voluntary guidelines within a short period of time. The TSA has broad authority over transportation security to include pipelines under 2001 Transportation Security Act. If the Secretary of Homeland Security finds that a national security threat exists with respect to domestic pipelines, TSA emergency authorities could be used.
While this regulatory regime is being established, the TSA should quickly put in place rules that would allow it to investigate the Colonial Pipeline incident and require reporting to it of similar such incidents at other pipelines. This investigation, if practical, should be conducted in partnership with the National Transportation Safety Board, which has authority to investigate pipeline incidents if they result in fatalities or environmental harm. It should also be done in concert with the soon to be established Cyber Incident Review Board that will investigate SolarWinds.
The results of this investigation should then be used to inform the development and revision of cybersecurity standards for pipelines. Improved security will not happen overnight, but even the threat of regulation on the horizon is likely to cause corporate boards at these companies to review their investments and bring in outside firms to ensure that what happened to Colonial Pipeline can’t happen to them.
For its part, Congress should also act on an emergency basis to fund the TSA’s Pipeline Security Program, which is woefully understaffed and historically lacks the requisite expertise.
It may take years to get the pipeline industry to a point where we can have confidence that companies are appropriately managing risks and have constructed systems that are resilient. But if it is going to take years to secure the nation, it is well past the time to get started.