National Post (National Edition)
U.S. pipeline cyber protections get boost in wake of Colonial hack
WASHINGTON • The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time, in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast's fuel supply this month — an incident that highlighted the vulnerability of critical infrastructure to online attacks.
The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
The ransomware attack that led Colonial Pipeline to shutter its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation's capital.
Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel. The Colonial chief executive has said the company paid US$4.4 million to foreign hackers to release their systems.
The cyber attack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.
“The Biden administration is taking further action to better secure our nation's critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is co-ordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly-created TSA, which was given statutory authority to secure surface transportation.