Following the six-day shutdown of the Colonial Pipeline Co. after a ransomware attack, a bi-partisan group of U.S. House lawmakers has revived legislation aimed at formalizing federal agencies’ responsibilities for securing pipelines against threats.

In addition to codifying the responsibility of both the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency for securing pipelines against threats, the legislation would require TSA to update pipeline security guidelines and conduct risk assessments. In addition, the bill would require the TSA to create a personnel strategy for staffing its Pipeline Security Section and improve congressional oversight of TSA’s pipeline efforts.

Rep. Emanuel Cleaver (D-MO), who previously introduced the legislation in 2019, is leading the effort once again after hackers infiltrated Colonial’s servers and demanded a ransom. The attack forced the 5,500-mile pipeline to shut down the main lines of its system, which supplies about 45% of the East Coast’s gasoline, diesel and jet fuel. While the attack was on Colonial’s information technology (IT) system, not the pipeline itself, it shut down the pipeline until it was certain it could safely manage the flow of fuel.

Colonial reportedly paid hacking group DarkSide, a criminal ransomware group based in Eastern Europe, $5 million in untraceable cryptocurrency for a decrypting tool to restore the company’s IT network.

“It’s become clear that cyber-attacks on our critical infrastructure are national security and economic threats to the homeland,” Cleaver said in a statement Friday. “The recent ransomware attack on the Colonial Pipeline, which caused the shutdown of thousands of miles of gas pipeline along the East Coast, was just the latest example of why Congress must act swiftly to harden our critical infrastructure and bolster our cybersecurity capabilities.”

The bill is co-sponsored by multiple other lawmakers on both sides of the aisle, including House Homeland Security Committee Chairman Bennie Thompson (D-MS) and ranking member John Katko (R-NY).

“The attack on the Colonial Pipeline this week was just one example of what could go wrong and it’s clear we may not be as lucky in the future if we don’t adjust,” Thompson said.

The U.S. Government Accountability Office (GAO) said in late 2018 that TSA’s natural gas and oil pipeline security guidelines were not keeping pace with cybersecurity standards. In a report, the government watchdog said the TSA does not have a documented process for reviewing and revising its guidelines on a regular basis.

In addition, it found that TSA relies on the industry’s self-evaluation “using ill-defined criteria” to determine whether pipeline operators have critical facilities within their pipeline systems. “As a result, approximately one third of the top 100 systems based on volume indicated to TSA that they do not have any critical facilities and TSA did not conduct an onsite review of these facilities,” according to GAO.

The House Homeland Security Committee is set to consider this bill and other cybersecurity-related measures this week.

‘Necessary’ Mandates

Some members of FERC also have called for establishing mandatory cybersecurity standards for the pipeline industry.

In a meeting last week, Federal Energy Regulatory Commission (FERC) Chairman Richard Glick pointed out that the Commission for more than a decade has coordinated with the North American Electric Reliability Corp. to establish and enforce mandatory cybersecurity standards for the bulk electric system. However, there are no comparable mandatory standards for U.S. natural gas, oil and hazardous liquid pipelines, he said.

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

Commissioner Allison Clements agreed with Glick’s call for mandatory cybersecurity standards for U.S. pipeline infrastructure.

Meanwhile, in a televised interview with CNN, American Petroleum Institute CEO Mike Sommers said following the “terrorist attack” on Colonial, energy companies are “keenly focused” on making sure their cyber defenses are up and running. Furthermore, he said the CEOs of API member companies “want to work with the federal government on making sure there aren’t vulnerabilities to our energy supply.

“We need to make sure that we have a robust system in place that can fight back against these rogue actors overseas,” Sommers said.

The executive called the attack on Colonial a “wake-up call” not only for energy companies, but for all company CEOs who have “vulnerabilities in this space.” Sommers also urged the U.S. government to “make sure these overseas actors and these countries that sponsor them accountable for what their countries are doing.”

On Guard

Even without federal mandates, pipelines companies across the country have implemented protocols for navigating potential threats.

Midstream giant Kinder Morgan Inc. takes an enterprise-wide approach on managing both cybersecurity and physical security threats to its operations and transactional systems, including its supervisory control and data acquisition (SCADA) systems. Spokesperson Melissa Ruiz told NGI that Kinder’s processes and cybersecurity plans are part of its overall emergency response plans, and multi-agency “worst case” drills are conducted for continual process improvement. 

“From a process standpoint, we use a risk-based approach with a focus on critical systems where failure or exploitation could potentially impact pipeline safety or reliability,” Ruiz told NGI “As such, critical business and SCADA systems are fully redundant.”

Furthermore, Kinder has developed and follows a Cyber Incident Response Plan (CIRP). The CIRP ensures if an incident occurs, the threat is identified, contained and eradicated. If needed, the plan has recovery steps identified, and lessons learned are documented.

“We also collaborate with state and federal government agencies on classified briefings and architecture reviews, and exchange best practices with industry peers through participation in industry associations and through direct, one-on-one meetings,” Ruiz said.