DHS to Regulate Pipeline Cybersecurity Following Colonial Attack In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021(Drew Angerer/Getty Images)
By Theodore Bunker | Tuesday, 25 May 2021 06:56 PM
The Department of Homeland Security will issue its first regulations for cyber attacks against pipeline companies following the incident with Colonial Pipeline earlier this month, The Washington Post reports.
The department’s Transportation Security Administration, which was put in charge of all pipeline security after its creation following the terrorist attacks on September 11, 2001, will issue a directive later this week that will require pipeline companies report cyber attacks to federal authorities, and will be followed by more vigorous guidelines for pipeline security and how to respond if hacked, senior DHS officials told the newspaper.
“This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes,” said one official, speaking on the condition of anonymity since the plans have not been officially revealed yet.
Colonial’s chief executive recently confirmed that the company paid $4.4 million to hackers abroad to regain access to their systems after an intrusion caused gas shortages and widespread difficulties in the southeast.
Richard Glick, the chairman of the Federal Energy Regulatory Commission, said after the attack that “it’s time” for mandatory cybersecurity standards, noting that FERC has worked with the North American Electric Reliability Corporation to regulate cyber standards for the bulk electric system.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” he noted.
Brian Harrell, a former DHS assistant secretary for infrastructure protection, told the newspaper that “any cyber standards that we implement must be harmonious with the other security regulations currently applicable to industry. Let’s not have six sets of books that regulate one way on Monday, and another way on Tuesday.”
He added that “The TSA is a great organization that has kept the flying public safe over the years. However, the TSA does not currently have the expertise or resources to manage a robust mandatory pipeline security compliance regime.”
Harrell said that Congress must “step up to the plate” and provide the agency with the necessary resources to regulate pipeline security.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck told the Post in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”