Pipeline operators must start reporting cyberattacks to government: TSA orders

Oil and gas pipeline operators must report all cyberattacks to the federal government in the wake of the shutdown of the Colonial Pipeline from a ransomware attack earlier in May, the US Department of Homeland Security said May 27 in a new security directive.

The most devastating cyberattack on a US pipeline stopped the nation's primary artery for gasoline and refined products from delivering more than 100 million gal/d of fuels for nearly a week, triggering pricing spikes, panic-buying and regional shortages. Colonial stretches more than 5,500 miles from the Houston refining hub to New York Harbor, supplying about 45% of all the gasoline and diesel fuel consumed on the East Coast.

Not only did the attack disrupt arguably the nation's most important fuel conduit, the incident also highlighted the particular vulnerability of the US' network of energy pipelines to cyberattacks. The pipeline sector currently only has voluntary cybersecurity guidelines set by DHS's Transportation Security Administration -- an agency primarily focused on the airline sector -- and not mandatory standards such as those required of the electricity sector.

The new announcement is TSA's first directive in response to the Colonial attack. More potential mandates remain under consideration, the announcement said.

"The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats," said Homeland Security Secretary Alejandro Mayorkas in a statement. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security."

The new directive requires critical pipeline operators to report confirmed and potential cybersecurity incidents to the DHS's Cybersecurity and Infrastructure Security Agency and to have a designated cybersecurity coordinator readily available at all times.

Pipeline owners and operators also must review their current practices for security gaps and potential mediation efforts, and report the results to TSA and CISA within 30 days.

Industry response

The midstream oil and gas industry said it is supportive of reporting requirements, but concerned about requirements potentially being too broad when there are attempted cyberattacks every day.

"Pipeline operators want to avoid a 'ready, fire, aim' approach from the government where we fail to incorporate lessons learned from Colonial or potentially make things worse by regulating the wrong thing or doing it in the wrong way," said Association of Oil Pipelines Vice President John Stoody on May 27.

The American Petroleum Institute said it supports TSA's efforts to strengthen cyber-reporting, and is working closely with the Biden administration "to develop incident reporting policies and procedures that best protect our critical infrastructure, including pipelines."

API has continually argued though that cyberattacks are an economy-wide problem and the pipeline sector should not be singled out.

"Any regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation's critical infrastructure," said Suzanne Lemieux, API manager of operations security and emergency response, in a statement.

Several politicians and members of the Federal Energy Regulatory Commission have called for mandatory pipeline cybersecurity standards similar to those required of the electricity sector.

Apart from the lack of mandatory cybersecurity requirements for the industry, cybersecurity experts also have pointed out that pipelines are additionally vulnerable because they have so many associated field offices in rural areas along the routes that often have outdated technology.