Oil and gas industry resists cybersecurity mandates after Colonial Pipeline attack
The oil and gas industry and some Republican leaders are resisting new calls for mandated cybersecurity standards for pipelines in the wake of the ransomware attack on the Colonial Pipeline.
Richard Glick, a Democrat who chairs the Federal Energy
Regulatory Commission, called on Congress this week to establish mandatory
pipeline cybersecurity standards similar to those already applied to the
electricity sector.
The American Petroleum Institute, the largest oil and gas
industry lobby group, is pushing back on the prospect of regulatory action over
pipelines.
An API official told reporters Tuesday that discussing new
cybersecurity mandates is premature as investigators learn how the hackers, an
organized crime group called DarkSide, breached Colonial’s computer networks in
the most significant, successful cyberattack ever on energy infrastructure in
the United States.
The official said member companies are aware of cyberthreats
facing the oil and gas industry and stressed strong communication that already
occurs with intelligence agencies.
Trump administration Energy Secretary Dan Brouillette called
for better information-sharing between the private companies that own the vast
majority of energy infrastructure and the federal government.
“I am not sure another layer of regulation is going to fix
the issue,” Brouillette told the Washington Examiner. “There are easier things
we can do.”
The government, he said, should be proactive while still
making sure to protect sources and methods from the intelligence community
because companies don’t always know how to recognize a cyberbreach in real
time.
“It’s not always intuitive,” Brouillette said. “Attackers
have become very good. Private industry is always on the defense. The attackers
always play offense, so they have an advantage.”
But some policymakers and regulators say it makes no sense
that the nation’s nearly 3 million miles of oil and gas pipelines largely lack
federal cybersecurity oversight, unlike the electric grid, which is subject to
mandatory standards overseen by the FERC, in coordination with the North
American Electric Reliability Corporation.
"Simply encouraging pipelines to voluntarily adopt best
practices is an inadequate response to the ever-increasing number and
sophistication of malevolent cyber actors," Glick, the FERC's chairman,
said in a statement. "Mandatory pipeline security standards are necessary
to protect the infrastructure on which we all depend.”
Homeland Security Secretary Alejandro Majorkas was asked
about Glick’s statement at the White House press briefing Tuesday and avoided
directly saying whether the Biden administration plans to work with Congress on
forcing cybersecurity requirements on pipelines.
“Our conversations have been ongoing with respect to what
measures we need to take administratively and in companion with the
Legislature,” Majorkas said.
White House press secretary Jen Psaki said the
administration has encouraged cooperation between the public and private
sectors, but she put the onus on companies to be better prepared.
“A big lesson for this is for all companies to harden their
cybersecurity apparatus and to ensure they are protecting themselves, even as
we are working as a government to plan for contingencies and ensure that across
the federal government, we have all the necessary protections in place,” Psaki
said Tuesday.
President Joe Biden's $2.3 trillion infrastructure and clean
energy plan does not mention cybersecurity. Biden, however, is expected to
announce this week an executive order on cybersecurity standards.
Bruce Walker, a senior Energy Department official focused on
cybersecurity in the Trump administration, suggested new regulations would take
time to implement and struggle to keep pace with nation-state actors such as
Russia bent on assaulting U.S. critical infrastructure. (DarkSide has denied
any interest in politics and links to Russian intelligence.)
Standards suggest commonality, and if pipeline operators all
have to implement a specific safeguard, the perpetrator just has to solve for a
single problem.
“When you blanketly put standards out, it doesn't encourage
the buy-in and exchange of information and knowledge integral to moving forward
in a world where you are dealing with nation-state actors. There is no silver
bullet here,” Walker told the Washington Examiner.
Many oil and gas companies aren’t always being proactive on
their own, though.
A survey of 125 midstream oil and gas company officials
published in January by Jones Walker LLP, cited Monday by the legal news outlet
Law360, found that while 40% of companies reported an attempted or successful
data breach in the past year, only 7% updated their written security policies.
The survey showed that just 38% of companies will increase
their cybersecurity budget this year and that 88% of respondents don't actively
exchange cybersecurity best practices with their peers.
Comments
Post a Comment