As a major fuel delivery operator gradually returns to service five days after suffering a ransomware attack, U.S. lawmakers are pressing federal agencies on what more they can do to secure the nation’s pipelines from hackers.
The disruption at Colonial Pipeline, which operates 5,500 miles of pipelines and provides 45% of the fuel consumed on the East Coast, has renewed longstanding concerns that the lead agency for pipeline cybersecurity, the Transportation Security Administration, is ill-equipped to deal with the scale of security challenges in the sector. A multi-agency initiative to bolster pipeline cybersecurity begun in 2018 is a good start, but more can be done, critics say.
“I have raised significant concerns with TSA’s focus on surface transportation, including pipelines, for years,” Rep. Jim Langevin, D-R.I., told CyberScoop.
He pointed to a 2018 audit from the Government Accountability Office that found that TSA’s pipeline cybersecurity work was inadequate and lacked “lack clear definitions to ensure that pipeline operators identify their critical facilities.”
“Moving forward, TSA needs to explain to the American people how it will ensure security of this critical infrastructure sector, and the administration needs to ensure that this woefully underfunded program gets the resources it needs,” Langevin said.
In a statement to CyberScoop, TSA said that since 2018 it had expanded the staff it has working on pipeline physical and cyber-security from six to 34 people. TSA reviews pipeline operators’ adherence to the agency’s voluntary security guidelines, TSA said.
“Through public and private partnerships and continued expansion of staffing and resources, TSA works tirelessly to enhance pipeline security measures,” the agency statement continued. “TSA will continue to work in close coordination with government and pipeline partners to evaluate the key factors garnered from the [Colonial Pipeline] cyber incident and determine opportunities to reduce and mitigate risk across the sector.”
Lawmakers say other agencies’ support for federal pipeline cybersecurity has improved that work in recent years.
For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Department of Energy joined with TSA in October 2018 on an initiative to identify vulnerabilities in computing infrastructure used by pipeline companies and to provide security advice to those companies.
CISA says the federal Pipeline Cybersecurity Initiative draws on government and private-sector expertise “to identify and address cybersecurity risks to enhance the security and resiliency of the Nation’s pipeline infrastructure.”
The initiative has shown promise, according to Rep. John Katko, of New York, the top Republican on the House Homeland Security Committee.
“Now, in the wake of the Colonial Pipeline ransomware incident, ensuring the success, growth, and effectiveness of the Pipeline Cybersecurity Initiative is more important than ever before,” Katko wrote in a letter to Acting CISA Director Brandon Wales on Tuesday.
Katko asked CISA to brief lawmakers by June 1 on how many security assessments federal agencies have done of pipelines under the initiative, and how vulnerabilities are mitigated. Katko also wants to increase by 50% the budget of a CISA component that conducts infrastructure analysis.
“We are engaged with our interagency partners to understand and mitigate impacts resulting from [the Colonial Pipeline incident], including by sharing information to protect and prevent others from becoming victims,” Eric Goldstein, CISA’s executive director for cybersecurity, told CyberScoop.
Though Colonial Pipeline is a privately held company, lawmakers and security experts say federal support to the sector is important to raise network defenses.
“As we have repeatedly stressed, cybersecurity is no longer just an ‘IT issue’ but instead an economic and national security challenge that can have real-world impacts to our security,” a dozen House Democrats and Republicans wrote in a letter to White House national security adviser Jake Sullivan on Tuesday. “It is imperative that the federal response is rapid, clear, and consistent.”
Some federal officials have also proposed cybersecurity regulations for the pipeline sector, which only has voluntary security guidelines.
“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” said Richard Glick, the chairman of the Federal Energy Regulatory Commission, which has oversight of the electricity sector but not the pipeline sector. “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.”
But some analysts warned that regulations won’t get the job done.
“We have a resource problem. Regulations will not fix this,” said Bryson Bort, founder of cybersecurity companies SCYTHE and GRIMM. “We should stop leaving it up to every individual critical infrastructure organization to figure out the solution themselves.”
Security agencies, led by CISA, should be adequately funded to provide a “catalog of resources” such as technical support and advice to critical infrastructure companies, Bort added. “Let’s offer carrots instead of sticks.”
UPDATE, 2:33 p.m. EDT: This story has been updated with a statement from TSA.
UPDATE, 5 p.m. EDT: This story has been updated with a statement from CISA Executive Director for Cybersecurity Eric Goldstein.