The Colonial Pipeline hack revealed cyber risks that President Biden seeks to address with the nation’s first cybersecurity review board, modeled after the National Transportation Safety Board.
“It’s a good start,” said Roger Nebel, a cybersecurity instructor at the University of Alaska Fairbanks.
“But congressional action also is needed,” said Nebel, who teaches at the UAF Homeland Security and Emergency Management Program.
Biden’s 14-page order places a new emphasis on national cybersecurity. The executive order:
- Sets up the federal cybersecurity board to review attacks like the Colonial breach by a Russian criminal group.
- Enhances oil and gas industry standards for cybersecurity at federal agencies and for contractors that do business with them.
- Updates security standards for software sold to the government.
Digital defense remains uneven across the gas and oil industry, Nebel and other experts say.
Alaska energy lawyer Brad Keithley noted that pipeline cybersecurity historically has not been a focus of regulators.
“As a result of relatively loose regulatory oversight, the prioritization has been left largely to each pipeline,” said Keithley, who publishes “Thoughts on Oil and Gas,” an industry newsletter.
A national survey in 2020 showed that most oil and gas executives believed they would be able to respond effectively to a cyber threat. But many did not conduct regular assessments or trial runs that test responsiveness.
“Some [oil and gas companies] I am familiar with have given the issue fairly high priority,” Keithley said.
“Others, however, have prioritized other things and not put the same level of effort into cybersecurity,” he said.
That lack of consistent cyber oversight may be about to change.
Pressing issue for Alaska
Congress and energy leaders agree that cyber defenses need to improve for critical infrastructure. Gas and oil pipelines are at the top of the list.
Richard Glick, who heads the Federal Energy Regulatory Commission (FERC), said the nation’s pipeline infrastructure should be brought in line with cybersecurity requirements for high-voltage electric grids.
“There are no comparable mandatory standards for the nearly three million miles of natural gas, oil and hazardous liquid pipelines that traverse the United States,” Glick said.
Alaska Rep. Don Young is working with colleagues from both parties on legislation to further protect critical infrastructure, said Zack Brown, Young’s communications director.
“Alaska is an oil producing state, which makes this a particularly pressing issue,” Brown said, referring to the 800-mile trans-Alaska Pipeline System (TAPS).
U.S. Sen. Lisa Murkowski cautioned that mandatory cybersecurity standards “would be something that would need a fulsome discussion on what that would look like,” including goals, strategies and costs, said Karina Borger, communications director.
Alyeska Pipeline, which owns and operates TAPS, emphasized that the company prioritizes cybersecurity with advanced systems for prevention and protection.
“Cybersecurity is a significant issue for all businesses and certainly at the forefront for critical infrastructure like TAPS,” said Michelle Egan, communications director.
Egan said that Alyeska has not taken a position on whether there needs to be additional federal standards or oversight for the industry as a whole.
Biden’s executive order to shore up cyber protections in critical infrastructure affects federal agencies and their contractors.
It does not reach privately held infrastructure, like the Colonial Pipeline System, the primary conduit for refined petroleum products along the East Coast.
“Officials directly involved know these measures will not change the behavior of adversaries, end the tsunami of ransomware attacks, or get stolen information back,” cybersecurity expert Adam Bobrow wrote in the online forum, “Just Security.”
Bobrow said that congressional action is needed.
Colonial Pipeline has not disclosed many details with authorities or the public about the recent ransomware attack.
The Russian criminal group that placed ransomware in the Colonial computer network caused the company to temporarily disconnect the nation’s largest pipeline for gasoline and diesel.
“The ransomware got in on the IT side, but Colonial as a safety measure shut down the OT side — operations,” Nebel said.
`The bad guys know that'
While cyber defense varies by business, all companies run the same software with the same vulnerabilities, Nebel said.
When software providers like Microsoft issue patches to fix problems, the hackers take note, Nebel said.
“Many companies fail to patch, and the bad guys know that,” he said.
Gas and oil pipelines are a cost center for companies, and historically cybersecurity improvements are seen as added expenses, so they may not be prioritized, Nebel said.
The American Petroleum Institute, an industry association, is updating cybersecurity recommendations since the Colonial attack.
Alaska U.S. Sen. Dan Sullivan supports ensuring that the federal agencies with oversight have the resources to protect critical infrastructure, said Nate Adams, Sullivan’s press secretary.
The U.S. Transportation Security Administration’s Pipeline Security Branch is the lead federal agency that oversees pipeline security.
But the TSA has not made cybersecurity requirements since its inception after the 9/11 terrorism attack.
As early as 2012, the Federation of American Scientists warned that “the Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations.”
By 2021, not much had changed.
The TSA has relied on voluntary self-reporting for cybersecurity. Pipeline reviews are collaborative.
“This document is guidance and does not impose requirements on any person or company,” according to the TSA’s Pipelines Security Guidance checklist.
Cybersecurity and the impact on earnings
The Securities and Exchange Commission (SEC) requires public companies to report cybersecurity attacks.
Companies only must disclose in quarterly earnings reports “that a significant cyber incident happened and the impact on earnings,” Nebel said.
FERC mandates cybersecurity rules for high-voltage grids, but regulations do not extend to oil and gas pipelines.
“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” Glick said.
“Competition in the oil and gas sector has driven costs lower,” Nebel said, “so the incentives are not there for the capital expenditures needed.“
Expanding access to cybersecurity resources for businesses and every level of government should be a component of any federal cybersecurity legislation, according to Congressman Young’s office.
Young’s office said this week that the 2018 Cybersecurity and Infrastructure Security Agency Act “was a significant step forward, but that more must be done.”
Contact political reporter Linda F. Hersey at 459-7575 or follow her at twitter.com/FDNMpolitics.