Colonial Pipeline hack exposes lack of federal cybersecurity oversight for US energy industry: media
WASHINGTON - The ransomware attack on Colonial Pipeline Co. has hit a US industry that largely lacks federal cybersecurity oversight, leading to uneven digital defenses against such hacks, reported The Wall Street Journal on Tuesday.
The temporary shutdown of Colonial's pipeline, the country's largest conduit for gasoline and diesel to the East Coast, follows warnings by US officials in recent months of the danger of cyberattacks against privately held infrastructure. It also highlights the need for additional protections to help shield the oil-and-gas companies that power much of the country's economic activity, cyber experts and lawmakers were quoted as saying.
"The pipeline sector is a bit of the Wild West," said John Cusimano, vice president of cybersecurity at aeSolutions, a consulting firm that works with energy companies and other industrial firms on cybersecurity.
Cusimano called for rules similar to the US Coast Guard's 2020 regulations for the maritime sector that required companies operating ports and terminals to put together cybersecurity assessments and plans for incidents.
More than two-thirds of executives at companies that transport or store oil and gas said their organizations are ready to respond to a breach, according to a 2020 survey by the law firm Jones Walker LLP. But many don't take basic precautions such as encrypting data or conducting dry runs of attacks, said Andy Lee, who chairs the firm's privacy and security team.
"The overconfidence issue is a serious phenomenon," Lee said.
Electric utilities are governed by rules enforced by the North American Electric Reliability Corp., a nonprofit that reviews companies' security measures and has the power to impose million-dollar fines if they don't meet standards.
There is no such regulatory body enforcing standards for oil-and-gas companies, said Tobias Whitney, vice president of energy security solutions at Fortress Information Security, a company that helps energy firms vet business partners for cyber readiness.
"There aren't any million-dollar-a-day potential fines associated with oil-and-gas infrastructure at this point," he said. "There's no annual audit."
Colonial Pipeline said on Friday that it proactively shut down its 5,500-mile pipeline, which stretches from the Gulf Coast to New Jersey, after a ransomware attack on its computer networks. The company said on Monday that the hack affected only its information technology, rather than control systems used to run the pipeline, and that it aims to restore substantial service by week's end.
Lawmakers from both parties said the incident reinforces the need to create new legal obligations for protecting critical infrastructure.
The Energy Department also will launch a 100-day "sprint" to improve pipeline security.
US President Joe Biden said on Monday that his administration was prepared to take additional steps to respond to the cybersecurity attack on the Colonial Pipeline.
The company, which transports more than 100 million gallons of fuel daily on the East Coast, said Monday in a statement that it aims to substantially restore operational service by the end of the week.
