Oil and gas industry resists cybersecurity mandates after Colonial Pipeline attack

The oil and gas industry and some Republican leaders are resisting new calls for mandated cybersecurity standards for pipelines in the wake of the ransomware attack on the Colonial Pipeline.

Richard Glick, a Democrat who chairs the Federal Energy Regulatory Commission, called on Congress this week to establish mandatory pipeline cybersecurity standards similar to those already applied to the electricity sector.

The American Petroleum Institute, the largest oil and gas industry lobby group, is pushing back on the prospect of regulatory action over pipelines.

An API official told reporters Tuesday that discussing new cybersecurity mandates is premature as investigators learn how the hackers, an organized crime group called DarkSide, breached Colonial’s computer networks in the most significant, successful cyberattack ever on energy infrastructure in the United States.

The official said member companies are aware of cyberthreats facing the oil and gas industry and stressed strong communication that already occurs with intelligence agencies.

Trump administration Energy Secretary Dan Brouillette called for better information-sharing between the private companies that own the vast majority of energy infrastructure and the federal government.

“I am not sure another layer of regulation is going to fix the issue,” Brouillette told the Washington Examiner. “There are easier things we can do.”

The government, he said, should be proactive while still making sure to protect sources and methods from the intelligence community because companies don’t always know how to recognize a cyberbreach in real time.

“It’s not always intuitive,” Brouillette said. “Attackers have become very good. Private industry is always on the defense. The attackers always play offense, so they have an advantage.”

But some policymakers and regulators say it makes no sense that the nation’s nearly 3 million miles of oil and gas pipelines largely lack federal cybersecurity oversight, unlike the electric grid, which is subject to mandatory standards overseen by the FERC, in coordination with the North American Electric Reliability Corporation.

"Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors," Glick, the FERC's chairman, said in a statement. "Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

Homeland Security Secretary Alejandro Majorkas was asked about Glick’s statement at the White House press briefing Tuesday and avoided directly saying whether the Biden administration plans to work with Congress on forcing cybersecurity requirements on pipelines.

“Our conversations have been ongoing with respect to what measures we need to take administratively and in companion with the Legislature,” Majorkas said.

White House press secretary Jen Psaki said the administration has encouraged cooperation between the public and private sectors, but she put the onus on companies to be better prepared.

“A big lesson for this is for all companies to harden their cybersecurity apparatus and to ensure they are protecting themselves, even as we are working as a government to plan for contingencies and ensure that across the federal government, we have all the necessary protections in place,” Psaki said Tuesday.

President Joe Biden's $2.3 trillion infrastructure and clean energy plan does not mention cybersecurity. Biden, however, is expected to announce this week an executive order on cybersecurity standards.

Bruce Walker, a senior Energy Department official focused on cybersecurity in the Trump administration, suggested new regulations would take time to implement and struggle to keep pace with nation-state actors such as Russia bent on assaulting U.S. critical infrastructure. (DarkSide has denied any interest in politics and links to Russian intelligence.)

Standards suggest commonality, and if pipeline operators all have to implement a specific safeguard, the perpetrator just has to solve for a single problem.

“When you blanketly put standards out, it doesn't encourage the buy-in and exchange of information and knowledge integral to moving forward in a world where you are dealing with nation-state actors. There is no silver bullet here,” Walker told the Washington Examiner.

Many oil and gas companies aren’t always being proactive on their own, though.

A survey of 125 midstream oil and gas company officials published in January by Jones Walker LLP, cited Monday by the legal news outlet Law360, found that while 40% of companies reported an attempted or successful data breach in the past year, only 7% updated their written security policies.

The survey showed that just 38% of companies will increase their cybersecurity budget this year and that 88% of respondents don't actively exchange cybersecurity best practices with their peers.