July 2021, Vol. 248, No. 7
Editor's Notebook
A Question of Not ‘If’ but ‘When’
By Michael Reed, Editor-in-Chief
It finally happened, and when it did, it happened in a big way.
The cyberattack on Colonial Pipelines served as the ultimate exclamation point on that pesky declaration pipeline companies had been hearing for years: Your information systems need to be better protected from malicious software.
It is certainly an old refrain, and I take no pleasure in echoing it once again. The shutdown of the United States’ largest transporter of refined fuels lasted only a few days, yet it still resulted in long lines at gas pumps in parts of the country and fueled fears that air travel would be shut down due to a lack of jet fuel. The truly scary part, though, is that it could have been much worse.
Faced with the very real threat of long-term damage to its systems, Colonial found itself left with little alternative but to shut down operation of its entire 5,500-mile (8,850-km) pipeline network. Ultimately, the company paid about $4.4 million to make safe restoration possible.
“I know that’s a highly controversial decision. I didn’t make it lightly,” Colonial CEO Joseph Blount told the Wall Street Journal days after the flow of fuel was restored. “I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
He added that the decision was “the right thing to do for the country.”
Blount’s painful admission went a long way toward illustrating a quandary that, unfortunately, will most likely be faced by other fuel providers going forward – the choice of either leaving their pipeline systems incapacitated by hackers or paying off criminals who then become better financed and are further emboldened to go looking for additional companies to blackmail.
As Republican Sen. Ben Sasse of Nebraska recently put it, “It is a play that will run again, and we are not adequately prepared.”
While the obvious question of the moment is not “will this happen again?” but rather “when will it happen again?,” it behooves owners, operators and cyber-safety providers to work even harder to come up with a solution. It will also necessitate the willingness to spend whatever it takes to do so.
Beyond that, from my perspective anyway, it seems disingenuous that for years now politicians of both major U.S. parties have provided as much lip service as they have about matters of national security but have done next to nothing to bolster cybersecurity for the nation’s infrastructure systems, which include pipelines.
To that point, it was discouraging to see the initial Biden administration infrastructure plan provide so little support for securing either current infrastructure or that which the president proposes to build.
In a more proactive move by the Department of Homeland Security (DHS), however, it appears mandatory cybersecurity requirements for pipelines are becoming a reality – like it or not. Among the conditions announced so far:
- Owners and operators of critical pipelines will need to report confirmed and potential cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and name a cybersecurity coordinator who will be available around the clock.
- Pipeline owners and operators will be required to review their cybersecurity practices and “identify any gaps and remediation measures for risks.”
- The results of their finding must be reported to the DHS Transportation
- Security Administration and CISA within 30 days.
Up until now, the federal Transportation Security Administration (TSA) had declined to issue cyber-requirements, instead relying on voluntary best practices and self-reporting by the industry. It appears those days are over.
So far, the industry has reacted warily, a position amplified by Association of Oil Pipe Lines (AOPL) spokesman John Stoody, who said, “We want TSA to get right anything they plan to do… An overly broad reporting requirement could overwhelm TSA with hundreds of thousands of cyberattack reports every day. That would not do anyone any good.”
No, it certainly would not, but it is abundantly clear that things need to change.
Comments