Pipeline operators who fail to report cybersecurity attacks to the
The so-called security directive being issued by Homeland Security will be followed in the near future by an additional set of rules for pipeline operators, according to senior department officials who asked not to be identified.
The new mandates, a shift from a long-held system of voluntary guidelines and self-reporting, is in response to the ransomware attack on
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” Secretary of Homeland Security
In addition to requiring pipeline owners to report incidents, Thursday’s security directive to companies that operate about 100 critical pipelines would stipulate that a designated representative be available around the clock as the point of contact, according to the statement.
The directive will also require operators to compare their practices with
That has pipeline operators concerned the new measures could be harmful to the department’s voluntary system.
“Pipeline operators want to avoid a ‘ready, fire, aim’ approach from the government where we fail to incorporate lessons learned from Colonial or potentially make things worse by regulating the wrong thing or doing it in the wrong way,” said
The department officials said they still planned to work collaboratively with the pipeline industry, even as Homeland Security works to craft more structured oversight.
“TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland,” TSA said in the statement.
Unlike power plants, U.S. pipelines have not been required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them through its Transportation Security Administration when it was created in the wake of the Sept. 11, 2001, terrorist attacks.
That’s been an approach the industry has championed -- and fought for as well. An effort in 2012 to require cyber regulations for pipelines and other significant infrastructure through legislation failed after intense lobbying by oil companies and other corporate interests.
The new measures come after hackers who stole data and locked computers forced the shutdown of Colonial’s roughly 5,500-mile-long (8,851-kilometers) pipeline system for nearly a week. The pipeline, which provides about 45% of the fuel used on the East Coast, was turned back on after company paid a $5 million ransom, but not before the shutdown caused shortages at gas stations.
“Any potential regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure,” said
(Updates with Mayorkas statement, details beginning in fourth paragraph.)
To contact the reporter on this story:
To contact the editors responsible for this story:
© 2021 Bloomberg L.P. All rights reserved. Used with permission.