Published by The Lawfare Institute
in Cooperation With
On May 7, 2021, Colonial Pipeline, which operates the largest fuel pipeline system in the United States, disclosed that it had suffered a cyberattack. Its business systems had been infected with ransomware, malicious software that locks systems until a ransom is paid, usually in the form of cryptocurrency. As a precaution, Colonial shut down its pipelines, severely limiting access to gasoline and jet fuel on the East Coast. It took several days until Colonial was able to resume normal operations. The event was the most significant ransomware attack to target U.S. energy infrastructure to date.
Before the ransomware attack on Colonial Pipeline, the cybersecurity regulations of oil and gas pipelines were largely voluntary. Over the years, pipeline owners and operators had the choice of whether to follow the best practice recommendations articulated by the Transportation Security Administration (TSA). However, the Colonial Pipeline ransomware attack has become a turning point for pipeline cybersecurity regulation.
TSA has issued two mandatory directives to enhance the cybersecurity of pipelines due to the enormous risks associated with ransomware attacks targeting pipeline infrastructure and in response to growing pressure from Congress.
The first directive, referred to as SD-01, requires that pipeline owners and operators report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), designate an in-house cybersecurity coordinator to be available at all times, review current practices, and report any gaps and related remediation measures to TSA and CISA.
The second directive, SD-02, was initially not made public but obtained through a Freedom of Information Act request by the Washington Post. SD-02 is focused on requiring specific safeguards to protect the information technology (IT) and operational technology (OT) against known cyberattacks, like ransomware. This directive requires that pipeline operators and owners “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
At first glance, the two mandatory directives are a welcome step to ensure that pipeline owners and operators implement the basic safeguards required to repel opportunistic and financially motivated attacks, given that such attacks affect virtually everyone due to the United States’ dependency on uninterrupted oil and gas supplies. Yet certain weaknesses in the current approach need to be acknowledged. I discuss many of these weaknesses in a forthcoming article titled “Cybersecuring the Pipeline” that will appear in the Houston Law Review in early 2023. Here, I lay out some of the main problems with the current regulatory landscape of pipeline cybersecurity.
First Weakness: The TSA as a Pipeline Cybersecurity Regulator
To many observers, it is somewhat surprising that TSA is the one entity responsible for ensuring the security of oil and gas pipelines. Indeed, TSA may not be the appropriate entity to take on this important task. The agency has been criticized for lacking the expertise and tools needed to effectively regulate cybersecurity in the pipeline context. For example, it was unclear whether TSA sufficiently consulted industry stakeholders when promulgating its directives or whether it even had the expertise to come up with an effective cybersecurity regulation regime.
Some observers have also criticized TSA and CISA for promulgating directives under emergency authority, which allowed them to forgo industry input through the traditional process of rulemaking. The directives also have not been made available to Congress. Furthermore, the Government Accountability Office noted that TSA had no process for reviewing and revising its guidelines and, therefore, that TSA “cannot ensure that its guidelines reflect the latest known standards and best practices for physical security and cybersecurity, or address the dynamic security threat environment that pipelines face.”
Also notable is TSA’s shortage of human capital necessary to carry out its pipeline cybersecurity mission. The agency had 14 full-time employees working on pipeline cybersecurity in 2012 and 2013, one employee in 2014, and just six employees in 2018. In 2019, TSA employed five pipeline security personnel, none with cybersecurity expertise. TSA has previously acknowledged that it lacks the personnel to fully perform its pipeline cybersecurity mission.
Finally, pipeline operators and owners reported that TSA seems to lack the requisite expertise to regulate cybersecurity in the oil and gas pipeline sector. This lack of expertise and staff shortage has led to an inability to conduct critical security reviews of pipeline cybersecurity: corporate security reviews (CSRs) and critical facility security reviews.
TSA’s poor fit to address pipeline cybersecurity has led to some tensions between the agency and the Federal Energy Regulatory Commission (FERC), an independent agency within the Department of Energy responsible for the electric power sector’s cybersecurity regulation. Two FERC commissioners have expressed their concern as to the adequacy of TSA as a pipeline cybersecurity regulator. Their observation included a call for a different agency to regulate pipeline cybersecurity, one that “fully comprehends the energy sector and has sufficient resources to address this growing threat.” In the same vein, the Biden administration announced its support to move pipeline cybersecurity from TSA to the FERC. Some House members even proposed the Energy Product Reliability Act, to allow the FERC to regulate pipeline cybersecurity.
Second Weakness: Information Sharing Is Not a Panacea
The second weakness relates to the substance of the first directive. The SD-01 directive relies on an information-sharing regime that may not be a panacea for pipeline cybersecurity threats.
One of TSA’s directives for pipeline owners and operators creates an information-sharing regime, which requires that pipeline owners and operators designate a cybersecurity coordinator. The designated coordinator would serve as a primary contact on cybersecurity matters within the pipeline entity and communicate with both TSA and CISA. The directive requires that the cybersecurity coordinator report to TSA and CISA any “cybersecurity incident” affecting the IT or OT of the pipeline owner or operator.
This model of cybersecurity regulation is referred to as “information sharing,” one of the two main models of cybersecurity regulation. The other is deterrence. While information sharing has its appeal, it is often seen as insufficient to address underlying cybersecurity issues. According to Andrea Matwyshyn, both information sharing and deterrence “are not an optimal fit” for today’s threats and security weaknesses. The argument goes that the U.S. cybersecurity regulatory structure should take into account the “reciprocal security vulnerability” nature of most cybersecurity issues, which is “the practical reality that the information security of the private and public sector are inextricably interwoven.” In other words, vulnerabilities in the private sector affect the public sector, and vice versa. It is therefore impossible to isolate a cybersecurity issue to only one sector or actor.
Reciprocal security vulnerability is a concept that should guide today’s pipeline cybersecurity efforts as well. Most pipeline operators or owners are private entities, the vulnerabilities of which are likely to significantly affect the public and public sectors. Information sharing is therefore not enough and should be supplemented by more comprehensive tools. For example, the federal government should share critical threat information with the pipeline sector to fix vulnerabilities promptly and effectively.
A more effective information-sharing approach would be to make pipeline cybersecurity regulation more in line with polycentric governance. As Scott Shackelford and others have articulated, polycentric governance is “a system of governance in which authorities from overlapping jurisdictions (or centers of authority) interact to determine the conditions under which these authorities, as well as the citizens subject to these jurisdictional units, are authorized to act as well as the constraints put upon their activities for public purposes.” In the pipeline context, this would require that pipeline operators and owners share threats, risks, and other relevant information with the other energy sector actors, and vice versa. Electricity, natural gas and oil are interrelated sectors facing similar threats.
Third Weakness: Overreliance on Prescriptive Standards
The TSA directive on pipeline cybersecurity measures (SD-02) is overly reliant on prescriptive standards, meaning that TSA expects critical pipeline operators and owners to adopt certain specific measures to ensure the cybersecurity of their IT and OT. While prescriptive standards may seem appealing in the sense that they specify in detail what measures are to be expected to ensure compliance, this approach would be stronger from a cybersecurity standpoint if it also included performance-based standards.
To achieve greater cybersecurity in the pipeline sector, TSA must include in its directives performance standards, requiring the pipeline operators and owners to achieve certain goals while affording them the freedom to choose the means and methods to do so. A performance-based standard “states requirements in terms of required results with criteria for verifying conformance, but without stating the methods for achieving required results.”
The use of performance-based standards in federal cybersecurity regulation is not unprecedented. For example, both the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act have performance-based cybersecurity standards in addition to prescriptive standards.
The Future of Pipeline Cybersecurity
Congress will ultimately decide whether TSA is the appropriate agency to regulate pipeline cybersecurity. Congress might decide to fund TSA and ensure that it has the requisite expertise and human capital to effectively regulate pipeline cybersecurity. However, there is currently an ongoing debate as to whether a more appropriate agency could be tasked to regulate pipeline cybersecurity. Notably, this debate predates the Colonial Pipeline ransomware attack.
As the debate stands, there are currently three possible approaches. First, the FERC could regulate pipeline cybersecurity. This could be achieved by reinterpreting the Natural Gas Act to be read as empowering the FERC with jurisdiction over “the transportation of natural gas in interstate commerce.” This would effectively transfer pipeline security from TSA to the Department of Energy.
Second, the FERC could certify a new entity, the Energy Product Reliability Organization (EPRO), to regulate pipeline cybersecurity. Under the proposed bill titled the Energy Product Reliability Act, the new EPRO will create standards and enforce them against pipeline owners and operators. This approach seeks to refocus TSA’s authority on physical security, while creating a new entity that will be tasked exclusively with regulating pipeline cybersecurity.
Third, CISA, instead of TSA, could regulate pipeline cybersecurity. The argument goes that CISA is already overseeing 16 critical infrastructure sectors, though it is not clear if CISA can address the intricacies of the pipeline sector. Additionally, CISA has no regulatory authority concerning any critical infrastructure. It can only issue guidance and promote collaboration, including through information sharing.
Empowering the Department of Energy to Regulate Pipeline Cybersecurity
While the three proposals may seem different, they are getting at the same point, which is that TSA is not currently capable of effectively regulating pipeline cybersecurity. The alternative is to let the Department of Energy take TSA’s place. First and foremost, the department may be better suited to fulfill this task, as its energy sector’s cybersecurity regulations have always been mandatory. This has not been the case in the pipeline context.
Letting the Department of Energy regulate pipeline cybersecurity is a persuasive prospect when one considers the interdependency between the electric power and pipeline sectors. Increasingly, the electric power sector relies on natural gas, meaning that any vulnerabilities in pipeline systems will significantly affect the electric power sector. Any vulnerabilities affecting pipeline systems will in turn affect the entire energy sector, and vice versa. For example, pipeline pumping stations depend on a reliable source of electricity. Any cybersecurity incident affecting the electricity supply will also hinder the ability of pipelines to perform their role.
Even so, the energy sector’s cybersecurity regulations are not without criticism. Yet the FERC’s expertise and record may prove useful in the pipeline context, and the appropriate revisions to the agency’s authority may result in a better form of cybersecurity regulation for the pipeline sector.
There also have been some proposals to include other agencies and entities in different aspects of pipeline cybersecurity. Recently proposed bills have included a proposal to authorize the secretary of energy to perform a certain role in pipeline cybersecurity, a proposal to require that the FERC consult with TSA on cybersecurity and interstate gas pipeline permit applications, and other bills empowering the Department of Energy, the U.S. Coast Guard and the National Institute for Standards and Technology, and the Pipeline and Hazardous Materials Safety Administration to have roles in pipeline cybersecurity. These overlapping authorities may be cause for concern if they result in conflicting or confusing guidance.
Overall, it appears that either TSA should have some pipeline cybersecurity authority or none at all. Unless TSA is sufficiently funded and staffed, alternative proposals seem likely to prevail in the future, especially given the incomplete nature of the two TSA directives and the many possibly catastrophic risks faced by the oil and gas pipeline sector.
Author Note: A thank you to Professors Jim Dempsey and Warigia Bowman for their comments on this post.