Experts Testify on Pipeline Cybersecurity MeasuresSenate Briefed Following Colonial Pipeline Attack
At a Senate hearing on oil and gas pipeline cybersecurity Tuesday, leaders from several federal agencies briefed lawmakers on the roles regulators can play in the aftermath of the recent ransomware attack against Colonial Pipeline Co.
The Committee on Commerce, Science, and Transportation, which heard testimony from the Transportation Security Administration, Department of Transportation and Government Accountability Office, examined recent actions taken in response to pipeline cyber incidents. Lawmakers urged the agencies to "flatten the bureaucracy" to improve relationships with companies that support pipelines.
The hearing came just one week after the TSA issued its second cybersecurity directive, requiring owners and operators of critical pipelines to implement cybersecurity controls. An earlier directive required pipeline operators to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, designate a cybersecurity coordinator and identify security gaps (see: TSA Issues Cybersecurity Requirements for Pipelines).
National Security Risks
In his opening comments, Senator Roger Wicker, R-Miss., the committee's ranking member, said the Colonial Pipeline attack "highlighted very present risks from cybercrime to our national security. It will be increasingly important for the public and private sectors to coordinate their efforts across the vast majority of the nation's critical infrastructure."
The vast majority of the nation's critical infrastructure, including pipelines, is owned and operated by the private sector, Wicker said. "The technologies used to conduct these attacks are continuing to evolve. We should avoid a one-size-fits-all approach, ensure that federal policy provides flexibility of response and adequately accounts for changing risks. We need to ensure pipelines continue to be safe transportation methods and can operate without disruption."
Threats to Pipelines Increasing
TSA Administrator David Pekoske testified: "The threats to pipelines have been increasing, as evidenced by a joint cybersecurity advisory issued last week by CISA and the FBI," which pointed to a spear-phishing and intrusion campaign targeting U.S. pipelines that was conducted by Chinese threat actors a decade ago. "TSA, in coordination with our interagency partners, has issued two security directives to meet this immediate security threat, reduce the vulnerability of our pipeline system and immediately protect transportation security."
In her testimony, DOT Deputy Secretary Polly Trottenberg said computational advances are introducing new cybersecurity risks, "and we are facing persistent and increasingly sophisticated cyberattacks with serious consequences for our economy. These risks require proactive, coordinated and agile responses."
The Department of Transportation worked closely with Colonial Pipeline after the attack as the company manually restarted its extensive pipeline, Trottenberg said.
"We need to keep learning and adapting quickly to meet increasingly complex and sophisticated cybersecurity challenges," she added.
In her testimony, Leslie Gordon, acting director for homeland security and justice within the GAO, said TSA, a unit of DHS, has addressed 12 of the 15 broader cybersecurity recommendations that the GAO presented in 2018 and 2019, including: clarifying pipeline security guidelines, improving performance monitoring, assessing staffing needs and updating guidance on federal roles and responsibilities.
Gordon said TSA's second directive, issued this month, "is placing significant additional cybersecurity requirements on private-sector pipeline owners and operators - and likely will generate additional information for TSA on cybersecurity needs."
To help agencies address a shortage of cybersecurity specialists, Gordon said the government should consider the expansion of a Department of Homeland Security talent management program, rethink the "long, cumbersome" security clearance process and launch a security reservist program.
"And we need to standardize training for cybersecurity for the federal workforce … so that the same folks who are out inspecting pipelines and looking at other facilities have a [cybersecurity] grounding," Gordon added.
Sen. Ed Markey, D-Mass., asked whether corporate leaders are "trying to pretend that it's an older world" in avoiding proper cybersecurity controls.
"A lot of cybersecurity procedures are simply hygiene items that have been well laid out … such as changing your password or using multifactor authentication on bank accounts and things of that nature," Pekoske replied.