Cyberattack on Colonial Pipeline spurs calls for legislation, new penalty authority

The cybersecurity attack on Colonial Pipeline, a main artery of US fuel supply, is spawning renewed calls for legislation to bolster defenses of US pipelines and the electric power grid, and, in some corners, calls for new government authority to hold companies accountable if they fail to act.

House Energy and Commerce Committee leaders on May 11 reintroduced bipartisan legislation aimed at strengthening the Department of Energy's ability to respond to physical and cybersecurity threats to the nation's pipelines and LNG facilities.

Committee Chairman Frank Pallone, Democrat-New Jersey and Ranking Member Cathy McMorris Rodgers, Republican-Washington, said their committee was the best equipped to lead bipartisan cybersecurity solutions, particularly for energy infrastructure and pipelines.

"The Colonial Pipeline cyberattack and the ripple effects being felt now across the country are sharp reminders of just how deeply we all rely upon our energy infrastructure every day, and just how crucial it is that we invest in modernizing and protecting it," they said in a joint statement. They urged that bipartisan solutions put forward by the committee be "enacted immediately."

Related coverage

US EPA expands emergency fuel waiver to 12 states affected by Colonial Pipeline shutdown

US pipelines wake up to cyberthreats after Colonial shutdown exposes vulnerabilities

US 'stands ready' for shippers' Jones Act waiver requests to meet Southeast fuel shortages

Among those, the Pipeline and LNG Facility Cybersecurity Preparedness Act, sponsored by Fred Upton, Republican-Michigan, and Bobby Rush, Democrat-Illinois, would require DOE to carry out a program to coordinate federal agencies, states, and the energy sector to ensure the security, resiliency and survivability of natural gas pipeline, hazardous liquid pipelines and LNG facilities.

And the Energy Emergency Leadership Act, also reintroduced May 11, would help elevate energy and cybersecurity responsibilities as a core function at DOE. Lead sponsors are Representative Bobby Rush, Democrat-Illinois, and Tim Walberg, Republican-Michigan.

The committee highlighted two other recently introduced bills, aimed at encouraging public-private sector partnerships bolster cyber security of electric utilities.

Seeking penalties

Seeking a more aggressive government posture on the Senate side, Ron Wyden, Democrat-Oregon, called for legislation to increase accountability for companies in light of vulnerabilities to critical infrastructure he said were highlighted by the attack on Colonial.

Congress should force companies to secure their computer systems, said Wyden, a member of the Senate's Select Committee on Intelligence. "There must be serious civil and criminal penalties -- with personal accountability for CEOs -- for critical infrastructure firms with lax cybersecurity, and federal agencies should be conducting regular cybersecurity audits of these firms," he said.

The renewed attention comes as the adequacy of federal oversight of pipeline cybersecurity has generated debate in Washington, amid roles played by the Transportation Security Administration, Cybersecurity and Infrastructure Security Agency and DOE.

Federal Energy Regulatory Commission Chairman Richard Glick and Commissioner Alison Clements, on May 10 called for mandatory pipeline cybersecurity standards, similar to those applicable to the electricity sector. Glick in the past has been critical of TSA's efforts and allotted resources for ensuring adequate security of oil and gas infrastructure,

Bolstering CISA efforts

Elsewhere, House Homeland Security Committee Ranking member John Katko, Republican-New York, May 11 urged greater investment in CISA's Pipeline Security Initiative, a voluntary public-private partnership involving CISA, TSA and DOE involved in assessments of pipeline assets to identify vulnerabilities.

Katko has backed a 50% spending increase for such infrastructure analysis and sought more detail form CISA about assessments performed to date and whether they could be extended beyond gas to include fuel pipelines.

In response to recent calls for regulation, the Interstate Natural Gas Association of America said its members would continue collaborating with federal agencies on strengthening cybersecurity protections.

"Over the past few years, Congress and the Department of Homeland Security have led significant efforts to enhance the pipeline security programs within DHS, including through both TSA and CISA programs, and we believe this work should continue," INGAA said in a statement. The group added that in order to be effective "government programs and standards must be nimble enough to adapt to continually evolving threats, leveraging public-private collaboration, and two-way information sharing."

There were also renewed calls to protect the power grid.

Protect Our Power, a group focused on making the electric grid more secure and resilient, called on the administration and Congress to make grid security and resilience a top priority in pending infrastructure legislation.

"The Colonial pipeline cyberattack, on the heels of the SolarWinds attack, makes it clear that our electric infrastructure is vulnerable and in need of significant security upgrades," said Jim Cunningham, executive director of the advocacy group.

Targeting short-term vulnerabilities, the group has urged that about $22 billion be provided over five years, including $12 billion for municipal power companies and rural utilities to offset costs of improving grid resilience, and $5 billion for building separate and more secure communications systems that control actual power system operations, among other investments.