The U.S. government is focusing on improving its national cybersecurity defenses after a recent ransomware attack by Russian hackers on a company that operates a pipeline providing almost half of the gasoline to the East Coast.
In the wake of the Colonial Pipeline shutdown, both the President and Congress took measures aimed at improving government cyber defenses and setting minimum standards that pipeline operators’ computer systems security must meet.
There are more than 2.7 million miles of pipelines in the U.S. that transport, natural gas, oil and other products.
While electric grids are governed by mandatory cybersecurity rules overseen by the Federal Energy Regulatory Commission, pipeline operators are not. The Transportation Security Administration (TSA), created in the wake of the 9/11 attacks in 2001, was given oversight over pipeline security in addition to aviation safety. It publishes a set of voluntary Pipeline Security Guidelines that it recommends, but does not require, companies to follow.
Cybersecurity of U.S. energy networks was addressed by Congress as part of the 2021 National Defense Authorization Act, by designating TSA as the primary agency for cybersecurity oversight of energy pipelines and directing it to work with the Cybersecurity and Infrastructure Security Agency (CISA) on risk assessment and cyber defense. However, TSA lacks the capacity to undertake the job, the Government Accounting Office found.
Members of the House Homeland Security Committee recently re-introduced the Pipeline Security Act, which was approved by the committee two years ago but never got to the House floor. The legislation would outline the responsibilities and expand TSA’s staff and expertise.
Reuters reported that the Department of Homeland Security plans to issue its first mandatory cybersecurity regulations on pipelines. The TSA would require pipeline companies to report cyber incidents to the federal government and designate officials with around-the-clock access to the TSA and CISA.
In addition, President Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks. The goals include removing barriers to sharing information about threats between the government and private sector; modernizing and implementing stronger cybersecurity standards, and creating a standardized playbook for responding to cyber incidents.
The Pennsylvania Public Utility Commission also issued a cybersecurity advisory urging utilities to use best practices and remain vigilant in their efforts to detect any attempted intrusions.
“Over the last several years, ransomware has become the number one threat to both public and private sector organizations and has grown in both scale and sophistication – and ransomware attacks continue to strike businesses, government agencies and individuals daily,” the advisory states.