THREAT IGNORED
System called vulnerable nearly a decade ago, but companies fought regulation
A ‘blinking red’ hack attempt in 2012 led to new pipeline policy.
A decade ago, after hackers were caught infiltrating natural gas pipeline operations and an al-Qaida video emerged calling for an “electronic jihad” on U.S. infrastructure, then-Sen. Joseph Lieberman tried to sound the alarm.
The system is “blinking red,” Lieberman warned his Senate colleagues during debate on the threat in 2012. “Privately owned and operated cyber infrastructure can well be, and probably some day will be, the target of an enemy attack.”
Led by the Connecticut independent and one-time vice presidential candidate, lawmakers sought to require energy companies to strengthen computer security. But the effort withered under fierce lobbying by oil companies and other corporate interests that succeeded in killing the legislation. That left in place a system of voluntary guidelines that failed to stop last month’s ransomware attack on Colonial Pipeline Co., which paralyzed a major artery for fuel along the East Coast.
“It’s really a lost opportunity,” said Lieberman, now senior counsel at Kasowitz Benson Torres. “The attack on the Colonial Pipeline might not have happened if we passed the legislation.”
In response to the attack, the Department of Homeland Security issued a new directive Thursday that requires private operators of pipelines to report any cybersecurity incidents and attacks on their network to the Cybersecurity and Infrastructure Security Agency and asks the companies to appoint a cybersecurity coordinator.
“This is the first time that there’s been (a) mandatory reporting” requirement that CISA has imposed on pipeline operators, a senior official of the Department of Homeland Security told reporters.
Pipeline operators also are required to conduct an assessment of how their cybersecurity practices match guidelines issued by the Transportation Security Administration, which is responsible for overseeing pipeline safety.
The new directive is a defeat for oil companies and pipeline operators that for more than a decade have successfully fought off federal standards to thwart cyberattacks from legislation or regulatory agencies. Unlike power plants, U.S. pipelines weren’t required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them when it was created in the wake of the Sept. 11, 2001 attacks.
Until now, the TSA had resisted using its authority to mandate cyberprotection measures.
“My belief was we could get quicker and better security through working with the industry instead of regulating them because regulations set minimum security standards and industry in many cases was doing more than that,” said Jack Fox, who served as the agency’s manager of pipeline security before retiring in 2016.
Lieberman’s bill would have imposed cybersecurity performance requirements on privately owned critical infrastructure — and slap fines on companies that fell short. The rules would have been applied to more than pipelines: sectors where a hostile takedown
of computer systems could lead to mass casualties, the collapse of financial markets or the disruption of energy and water supplies, were to be included.
Even a watered-down version of the bill failed to overcome a Republican-led filibuster.
For Lieberman, the failure still stings.
“We would sort of ask ourselves who is driving this aggressive opposition and the answer we were getting was the energy companies and the pipeline companies,” he said.
Every major U.S. oil company — including Exxon Mobil, Chevron Corp. and ConocoPhillips — lobbied on the legislation, alongside some refiners and at least one pipeline operator. Colonial didn’t lobby on the measure in 2012, according to disclosure forms it filed with Congress. However, groups it belonged to did, including the American Petroleum Institute, the Association of Oil Pipe Lines and the Chamber of Commerce — a political titan that reported spending $103.9 million influencing government policies in 2012.
The hacking episodes foreshadowed how alluring fuel delivery systems are to cybercriminals,.