In the weeks that followed a ransomware attack on a domestic
pipeline company, the federal government's efforts to shore
up the cybersecurity posture of America's critical
infrastructure and supply chains, including the oil and gas
industry, have garnered increased attention. Historically,
the oil and gas sector has not been subject to mandatory
cybersecurity regulations, but rather was encouraged to follow
voluntary security guidelines that were initially published by the
Transportation Security Administration (TSA) in 2011 and revised in
2018. Yet, the industry sector's geographic size, number of
operators/stakeholders within the sector, and its importance to the
national economy make the oil and gas industry an attractive target
for cyberattacks.
Each of these factors begs the question whether voluntary
cybersecurity measures are sufficient to protect this critical
infrastructure component? Based on the TSA's decision to
publish the very first Pipeline Security Directive
(“Directive”) three weeks after Colonial Pipeline was
victimized by a ransomware attack, the answer to this rhetorical
question appears to be an emphatic “No.”
The Directive debuts TSA's first mandatory requirements
for the pipeline sector
Physical security for oil and gas pipelines has been in the
domain of the TSA since the agency's inception in 2001. The
safe transport of fuels and chemicals, arguably a task that is
within TSA's wheelhouse, was viewed through a prism of
physical risk after 9/11. However, the prevalence of ransomware and
the vulnerability of Operational Technologies to cyber-attack has
blurred the lines between safety and security. Compounding this
problem, cybersecurity is not a core skill for
the six TSA personnel who have primary
responsibility for pipeline security.1 As such, the
TSA is not only understaffed in the cybersecurity department, it
has relied on voluntary guidelines and lacks the enforcement tools
available to other agencies2 such as the
Cybersecurity and Infrastructure Security Agency (CISA).
Considering these limitations, the TSA deserves some praise for
issuing the Directive fifteen business days after a service
disruption, but the Directive's requirements are far from
revolutionary.
The Directive required owners and operators of hazardous liquid
and natural gas pipelines to (1) designate in writing and provide
to TSA, the names of the primary and alternate Cybersecurity
Coordinators; (2) report to CISA the occurrence of cybersecurity
incidents involving systems the owner/operator is responsible for
operating; and (3) perform a vulnerability assessment of the
organization's activities and practices to address risks to
their networks, identify gaps in those activities, remediation
measures to fill those gaps, and a timeline for doing so. The
Directive called for those three requirements to be completed by
June 28, 2021. The information owner / operators provide to
TSA under the Directive is Sensitive Security Information and thus
will not be disclosed to the public.
Are there better equipped agencies who can handle cybersecurity
for oil and gas?
The Directive follows on the heels of President Biden's
Executive Order No. 14028 issued on May 12, 2021 (EO 14028) to
improve the nation's cybersecurity. The Directive, EO 14028
and other recent federal policy initiatives signal a shift towards
greater oversight and control for the cybersecurity of important
industries. CISA, which is self-described as “the
nation's risk advisor” is one of the agencies likely to
be heavily involved with cybersecurity changes for critical
infrastructure sectors, such as oil and gas pipelines.
The Federal Energy Regulatory Commission (FERC) has already
developed mandatory cybersecurity standards for the electrical grid
and has the experience to create similar standards for oil and gas.
Additionally, the Department of Energy (DOE), which has experience
with nuclear cybersecurity, could take the reins on oil and gas
cybersecurity. Moreover, Secretary of Energy Granholm
testified on June 15, 2021 before the Senate Energy and Natural
Resources Committee that the DOE wanted to help electric utilities
defend themselves from sophisticated cyber threats as part of
DOE's efforts to coordinate with the private sector and
CISA.
Arguably, CISA is better-suited to recognize cyberattacks,
create guidelines, and manage responses to cyber-attacks and is
likely to increase its involvement with oil and gas cybersecurity.
Case in point, EO 14028 mentions CISA thirty-four times, but is
completely silent regarding any role or expectations for TSA.
What is on the road ahead for pipelines?
No matter which agency, including TSA, takes or retains the lead
role on cybersecurity for the oil and gas sector, industry actors
will have to deal with significantly more regulation than in the
past. Regulations promulgated by that agency will most likely
require rapid investigation and identification of cybersecurity
incidents and require the disclosure of bona fide incidents to the
cognizant agency. Regulations could also incorporate by reference
third-party consensus standards and basic cyber-hygiene practices
(e.g. multifactor authentication, risk-based
identification, recurrent cybersecurity training for personnel
etc.) to reduce the effectiveness of phishing and spear
phishing.
While new regulatory requirements may be costly to comply with
initially, the reduced vulnerability to cyberattacks by malicious
actors not only protects the nation's critical
infrastructure, the measures reduce the risks of pipeline
owners/operators suffering large financial losses that cause
operational disruptions or in the worst case force a pipeline to
temporarily shut down.
Footnotes
1 TSA Has Been Underfunded, Understaffed While
Overseeing Pipeline Cybersecurity, Nat'l Public Radio,
interview by Brian Naylor with Robert Knake, Senior Follow with the
Council on Foreign Relations, May 18, 2021.
2 TSA Pipeline Oversight Faces Scrutiny After
Colonia Hack, David Uberti, Wall Street Journal, May 13, 2021;
Insert other sources – Senator Angus King
interview?
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss