The May 7 cyberattack on Colonial Pipeline Co.’s information technology was a reminder of the vigilance required to keep our major industrial and infrastructure assets secure at a time when they are increasingly both controlled from afar and interconnected, potentially to any other computer in the world. Companies attempt to shield their devices and networks from the worldwide web, but to maximize efficiency some connections have to exist.
The federal government is expected to enact cybersecurity regulations in reaction to the attack, with the Department of Homeland Security’s Transportation Security Administration (TSA) leading the way. At a minimum, it is reasonable to expect that pipeline companies will be required to report cyber incidents, with the American Petroleum Institute calling for reporting policies to include “reciprocal information sharing and liability protections.” A second layer of regulation could include requiring pipeline companies to file self-assessments of cybersecurity vulnerabilities.
But any such regulations will require additions to TSA staff to be effectively implemented and penalties sharp enough to deter noncompliance.
TSA has not issued a pipeline regulation since its founding in 2001. A 2018 Government Accountabililty Office report found “significant weaknesses” in TSA’s management of pipeline security, prompting an increase in staffing at its Pipeline Security Branch to 34 from 6, a level almost certainly still insufficient to the task at hand.
The standalone Cybersecurity and Infrastructure Security Agency (CISA) was formed in 2018 and launched its Pipeline Cybersecurity Initiative, a public-private partnership between TSA, CISA, the Department of Energy, and pipeline companies and industry groups. The initiative is responsible for conducting Validated Architecture and Design Review (VADR) assessments of natural gas pipelines. Staffing issues, however, have limited VADR’s implementation, prompting calls for a 50% increase in CISA’s budget.
A need for speed
The cyber battlefield is in perpetual motion. Programs requiring no human oversight, designed to locate weaknesses for future attacks, are launched every day and are being developed every minute of every day. The same can be said of attacks themselves.
Each of us is one successful strike away from being without power, or water, or gasoline, or meat, or any number of other goods we take for granted. It is imperative that the companies running this supply infrastructure act with the same level of determination in preventing these attacks that their perpetrators are in attempting to execute them.
Efforts to establish baseline standards or regulations for cybersecurity in the oil and gas industry are helpful as a way of organizing and tracking its implementation. But there is no ‘minimum’ level of activity that is good enough. The shelf-life of even the most sophisticated countermeasures is fleeting.
Trying to build a regulatory regime to compel diligence is similarly problematic. Companies will be certain to meet whatever requirements are put upon them regarding the frequency of x, y, or z activities. But some will inevitably be more diligent than others and cracks will start to show in the security methods employed by the laggards.
Cybersecurity works best as a cooperative venture. The ideal outcome is for everyone to have the best defenses available at any given moment. But for this to happen the exchange of information, both among companies and between companies and the government, must be clear and continuous. This need in turn raises concerns regarding competitive advantage from the companies’ perspective and anti-trust from the government’s.
The collective, proactive development of remedies, however, will both produce the best possible outcome and provide regulators with evidence that the industry really is doing its best. The time to start fleshing out the various frameworks built over the years to respond to cyberthreats is long past, but we have to start catching up. The industry must lead this effort cooperatively. No amount of regulatory interference or individual action will suffice.