Bloomberg Law
May 27, 2021, 3:36 PM

U.S. May Fine Pipeline Operators for Unreported Cyberattacks (1)

Ari Natter
Ari Natter
Bloomberg News

Pipeline operators who fail to report cybersecurity attacks to the Department of Homeland Security could face fines of $7,000 a day or more under regulations being released Thursday in response to the ransomware attack that temporarily paralyzed the nation’s biggest fuel pipeline.

The so-called security directive being issued by Homeland Security will be followed in the near future by an additional set of rules for pipeline operators, according to senior department officials who asked not to be identified.

The new mandates, a shift from a long-held system of voluntary guidelines and self-reporting, is in response to the ransomware attack on Colonial Pipeline Co.

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” Secretary of Homeland Security Alejandro Mayorkas said in a statement on Thursday.

In addition to requiring pipeline owners to report incidents, Thursday’s security directive to companies that operate about 100 critical pipelines would stipulate that a designated representative be available around the clock as the point of contact, according to the statement.

The directive will also require operators to compare their practices with Transportation Security Administration guidelines and identify and report risks.

That has pipeline operators concerned the new measures could be harmful to the department’s voluntary system.

Earlier: Pipelines Balked When ‘Blinking Red’ Hack Alert Went Off in 2012

“Pipeline operators want to avoid a ‘ready, fire, aim’ approach from the government where we fail to incorporate lessons learned from Colonial or potentially make things worse by regulating the wrong thing or doing it in the wrong way,” said John Stoody, a spokesman for the Association of Oil Pipe Lines, which counts Colonial among its members, said before the regulations were unveiled.

The department officials said they still planned to work collaboratively with the pipeline industry, even as Homeland Security works to craft more structured oversight.

“TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland,” TSA said in the statement.

Unlike power plants, U.S. pipelines have not been required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them through its Transportation Security Administration when it was created in the wake of the Sept. 11, 2001, terrorist attacks.

That’s been an approach the industry has championed -- and fought for as well. An effort in 2012 to require cyber regulations for pipelines and other significant infrastructure through legislation failed after intense lobbying by oil companies and other corporate interests.

The new measures come after hackers who stole data and locked computers forced the shutdown of Colonial’s roughly 5,500-mile-long (8,851-kilometers) pipeline system for nearly a week. The pipeline, which provides about 45% of the fuel used on the East Coast, was turned back on after company paid a $5 million ransom, but not before the shutdown caused shortages at gas stations.

“Any potential regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure,” said Suzanne Lemieux, the American Petroleum Institute’s manager of operations security and emergency response.

(Updates with Mayorkas statement, details beginning in fourth paragraph.)

To contact the reporter on this story:
Ari Natter in Washington at

To contact the editors responsible for this story:
Jon Morgan at

Elizabeth Wasserman

© 2021 Bloomberg L.P. All rights reserved. Used with permission.