The Biden administration will require the nation’s pipeline companies to report to the government any time they are hit with a significant cyberattack, and to create 24-hour emergency centers for such episodes, Alejandro N. Mayorkas, the secretary of homeland security, said Thursday morning.
The move is the first of several, administration officials said Wednesday night, to address the lessons of the Colonial Pipeline ransomware attack this month, which forced Colonial to shut off the systems that send gasoline and jet fuel to nearly half of the East Coast. But based on the details released by people familiar with the order, it does little to solve the central problems that were revealed by that attack.
The officials characterized the step as more aggressive regulation of the pipelines, under authority that belongs to the National Transportation Safety Board. Presumably those requirements will examine whether the attacks on the business network can “migrate” to the operational controls of the pipelines themselves.
In the Colonial Pipeline case, the company brought down the flow of gasoline and jet fuel for fear that malware in its business software — filled with budgets and emails — could interact with the digital control systems used for directing the fuel to tanks up and down the Eastern Seaboard.
Mr. Mayorkas, who dealt with some cybersecurity and infrastructure issues when he served as deputy secretary of homeland security in the Obama administration, said in a statement that the Colonial Pipeline case showed “that the cybersecurity of pipeline systems is critical to our homeland security.” He added that his department would “continue to work closely with our private-sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
In fact, the vulnerabilities of pipelines have been well-known for years. In 2013, a hacking group linked to China’s People’s Liberation Army gained access to the networks of a Canadian subsidiary of a firm that operates natural gas pipelines across the United States. Yet even after that episode, the federal government did not start requiring pipeline operators to meet minimal cybersecurity standards, or to report incidents to the government.
The new requirement will essentially assure that the pipeline companies always have at least one employee with some cybersecurity training monitoring their systems, though it is unclear what that employee would be empowered to do other than raise an alarm.
The order also sets a 30-day period to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency.
But the gaps identified in the Colonial ransomware attack most likely would not have been anticipated by any such review, many experts note. And the company’s intense secretiveness in dealing with the government during the episode — including its decision to pay the ransom — was a source of constant frustration to government officials.