The oil and gas industry is resisting efforts to revise cybersecurity regulations following the ransomware attack on the Colonial Pipeline. Industry officials claim that revising existing rules and working more closely with federal agencies would be enough to harden the sector against future attacks without significant government intervention.
The Colonial shutdown, which lasted several days and resulted in gasoline shortages on the east coast, has sparked several proposals for stronger government oversight of the pipeline industry, including transferring oversight of pipeline cybersecurity from the Transportation Security Administration – a branch the USA Department of Homeland Security – to the Department of Energy. However, industry associations say these and other major changes aren’t needed to protect pipelines and critical energy operations, most of which have cybersecurity measures already in place.
The American Petroleum Institute argues that Congress should devote more resources to the TSA to do its job better, rather than taking cybersecurity responsibility off the TSA. API is also updating its own cybersecurity standards for the pipeline industry, which require greater coordination between the industry and the federal government.
“You don’t have to go through a whole regulatory or legislative process to fix something that isn’t necessarily broken,” said Suzanne Lemieux, API’s lead cybersecurity expert.
The ransomware attack on the Colonial Pipeline, which begins in Houston and carries nearly half of the East Coast’s gasoline and diesel supplies, exposed the vulnerability of the United States’ energy networks. On May 8, Colonial reported that it was the victim of a ransomware attack in which criminals confiscated company data and demanded a ransom for its return. Although the company said the hackers were unable to disrupt pipeline flows, it took great caution in shutting down large parts of its pipeline network.
After agreeing to pay a ransom note of approximately $ 4.4 million, the company closed the pipeline on Jan.
Vulnerable to cyberattacks
The incident sparked a longstanding debate about the ability of the country’s energy sector to withstand increasing cyberattacks.
The Colonial Pipeline attack was the most momentous of its kind against critical energy networks in the United States, but it was by no means the first. Last October, the Cybersecurity and Infrastructure Security Agency, the federal agency responsible for monitoring cybercrime, reported a cyber attack that affected the control and communication systems of an unnamed natural gas compression facility.
The cybercriminals used a spear phishing link sent via email to break into the facility’s IT network as well as its operational network, and then used ransomware to encrypt the data on both networks. The compressor station was idle for two days, which led to a loss of productivity and revenue, said the Cybersecurity and Infrastructure Security Agency.
In addition to criminal gangs, cybersecurity experts said, the country’s infrastructure is vulnerable to cyberattacks from countries hostile to the United States. Cyberspace “is the perfect place for nation states to project power and demonstrate their ability to destroy a country’s critical infrastructure if they so choose,” said Grant Geyer, chief product officer for cybersecurity firm Claroty.
The increase in the number and severity of cyber attacks on energy infrastructure targets has led regulators, political leaders and experts to call for greater government intervention in an area that has largely been left to the private sector. Just days after the Colonial Pipeline attack, Richard Glick, chairman of the Federal Energy Regulatory Commission, called for mandatory cybersecurity standards for the pipeline industry, similar to those that FERC imposed on the electricity system more than a decade ago.
Senator John Cornyn, R-Texas, plans to reintroduce a bill first proposed in 2019 that would give the Department of Energy oversight of the physical security and cybersecurity of oil and gas pipelines, a spokeswoman said. The legislation would eliminate the role that the TSA and its parent company, the Department of Homeland Security, have played in these areas.
Cybersecurity standards
However, API refuses to transfer oversight of pipeline cybersecurity efforts from the Transportation Security Administration, which has worked closely with the industry since the agency was established following the September 11, 2001 terrorist attacks.
“TSA has worked with the pipeline sector for 20 years,” said Lemieux, API cybersecurity expert. “You know the company; they know the operations; they understand how pipelines work. “
Lemieux cited a security policy issued by the Transportation Security Administration on May 28 as an example of how the agency is working with the pipeline companies to improve the industry’s cybersecurity posture. This policy, which targets approximately 100 oil and gas pipelines designated as part of the country’s critical infrastructure, requires operators to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 12 hours.
Lemieux said API representatives are meeting with TSA officials to discuss how regulators plan to implement the policy, particularly the requirements for reporting cybersecurity incidents. She said the rules could prove burdensome to the pipeline industry if operators were required to report every unsuccessful email phishing attempt on their systems.
“We are not against regulation,” she said. “We just want intelligent regulation. It has to be effective to be actionable. “
Other industry groups, including the Interstate Natural Gas Association of America and the Association of Oil Pipe Lines, are also calling for the government to take a more collaborative approach to pipeline cybersecurity rather than imposing new rules or overhauling the regulatory system.
John Stoody, vice president of the Association of Oil Pipe Lines, argued that the TSA should limit the amount of information pipelines must share with the federal government.
“Our greatest wish is that they get it right, that they have the information they need in a timely manner that is helpful to the government and other pipeline operators,” he said. “We know that cybersecurity attempts hit businesses of all types literally hundreds of thousands of times a day, and almost all of them are unsuccessful. There is an easy way to make requirements that are too broad, which in the end waste a lot of time. “
Evolving Cyber Threats
Meanwhile, the Biden administration and members of Congress are calling for stricter oversight of the pipeline industry’s cybersecurity regulation.
On a recent visit to Houston to meet with city officials, members of the Houston Congressional Delegation, and senior power industry leaders, Energy Secretary Jennifer Granholm said the government should introduce improved cybersecurity standards for the oil and gas industry, similar to those imposed on the power transmission industry were. These requirements include training employees in cybersecurity, setting up electronic security perimeters, installing physical measures to protect systems, and reporting incidents.
There are no comparable regulations for the oil and gas pipeline industry. Granholm acknowledged that adopting such standards would require pipeline operators to make costly investments in cybersecurity.
“There is a continuous improvement in methods by cyber criminals,” said Granholm, “and so our cyber protection installations must be continuously improved.”
According to Emsisoft, a New Zealand software company, the United States was the world leader in reported incidents of ransomware requests last year with 23,661, far surpassing Italy with 9,226 requests. The company estimates that US ransomware Attacks cost up to $ 3.7 billion last year.
Eric Goldstein, assistant director of cybersecurity at the Cybersecurity and Infrastructure Security Agency, said the Colonial Pipeline attack was just the most visible example of the risks threatening public authorities and private companies.
“There were people who for a few days really worried about whether they could fill their tanks for the commute to work and whether gasoline prices would put an increasing strain on their budgets,” he said. “Our country faces a really urgent cybersecurity risk.”
source https://collegeeducationnewsllc.com/industry-pushes-back-against-major-changes-in-pipeline-cybersecurity-rules/
No comments:
Post a Comment