Pipeline Cybersecurity Solutions Suffer From Oversight Divide

Concerns about cybersecurity jurisdiction over critical infrastructure pose a potential hurdle for congressional efforts to set stronger oversight after recent hacks against Colonial Pipeline Co. and JBS SA, with lawmakers set to delve into one of the breaches in hearings this week.

At least five congressional committees oversee similar pipeline cybersecurity issues at departments including Homeland Security and Energy, leading to tensions and delays in the effort to advance unified cybersecurity legislation that requires the sign-off of the various panels.

Congress and the federal agencies need a unified effort to legislate and head off cyberattacks facing the public and private sectors, according to Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.

“We really need a one team approach. Not only with pipelines, but with energy security,” Cilluffo said. “One of the big issues vis-a-vis pipelines is also their interdependency, potentially, to the electric grid, which is the most critical of critical infrastructures underpinning our economy.”

The jurisdictional split by the committees is complicated by diverging cybersecurity and infrastructure oversight at federal agencies.

Pipeline cybersecurity is overseen by DHS’s Transportation Security Administration, which covers pipeline operational technology and industrial control systems, and DOE, which oversees energy commodities that move through the pipelines. Under law, only TSA has the authority to regulate pipelines as transportation infrastructure, and therefore set cybersecurity standards and reporting requirements.

In response to the Colonial Pipeline ransomware attack, TSA issued a cybersecurity directive requiring pipeline operators to report cyberattacks. But the directive is only effective for a year until any future regulations are enacted or Congress passes legislation.

Committees Take Diverging Approaches

House committees took different approaches to assert their jurisdictional control after the attack. The House Homeland Security and Energy and Commerce committees both reintroduced bipartisan bills seeking to separately codify TSA and DOE authorities over pipeline cybersecurity.

The Homeland Security Committee, which oversees DHS, advanced legislation (H.R. 3243) to codify TSA’s responsibility for securing pipelines against cybersecurity and physical threats.

The Energy and Commerce Committee, overseeing DOE, reintroduced a measure (H.R. 3078) to strengthen the Energy Department’s ability to respond to physical and cybersecurity threats to pipelines and liquefied natural gas facilities.

The energy panel’s legislation includes language stating the bill wouldn’t affect the authority of other federal agencies with pipeline oversight. Still, the House Homeland Security Committee opposes the bill because it doesn’t name TSA as the reigning oversight agency and would duplicate authorities, which could lead to confusion and poor communication, according to an aide for the panel.

A spokesperson for the Energy and Commerce Committee said that while the committee has been critical of the TSA’s pipeline oversight to date, that agency has an important role to play in security. The spokesperson said the panel’s bill would explicitly preserve TSA’s existing authority, and a committee report accompanying last year’s bill specified TSA’s authority by name.

Across the Capitol, Senate Energy and Natural Resources Chairman Joe Manchin (D-W.Va.), whose committee oversees DOE, said he’s interested in talking with Senate Commerce, Science and Transportation Chair Maria Cantwell (D-Wash.) about working across committees to address pipeline cybersecurity. Cantwell’s committee oversees TSA in the Senate.

“We have no problem working together at all,” Manchin said.

Sen. Angus King (I-Maine), co-chair of the Cyberspace Solarium Commission that is charged with creating a national cyber strategy, said the Energy Department or the Federal Energy Regulatory Commission could be better agencies to regulate pipeline cybersecurity.

King said the current law giving TSA authority is based on “a legacy of thinking of pipelines as transportation — they’re not a cybersecurity agency.”

No legislation has been introduced to change those authorities, and any potential bill would likely face pushback from committees overseeing DHS.

Rep. Jim Langevin (D-R.I.), also on the commission, criticized TSA’s handling of pipeline cybersecurity, but said additional funding could help solve the issue.

“TSA’s pipeline security team is woefully under-resourced,” Langevin said. “That is the root problem we’ve been facing in the sector for years and that has been thrown into stark relief by the Colonial ransomware incident.”

Lawmakers raised concerns with the White House’s Colonial Pipeline Task Force, which tapped DOE, DHS, and other agencies to assess the effect of the hack on the fuel supply.

House Homeland Security Chair Bennie Thompson (D-Miss.) wrote to National Security Adviser Jake Sullivan seeking clarity on why DOE was tapped, despite lacking authority over pipelines, according to a House Homeland Security Committee staffer.

Oversight, Cyber Director Hearings

Two hearings are planned this week to review the Colonial Pipeline hacks. The Senate Homeland Security and Governmental Affairs and House Homeland Security committees will each hear testimony from Colonial Pipeline Chief Executive Officer Joseph Blount Tuesday and Wednesday.

Cantwell said she plans to hold a hearing soon on Colonial Pipeline and cybersecurity of critical infrastructure.

Senators will also weigh the Biden administration’s nominee for the newly created national cyber director role this week. The position, recommend by the Cyberspace Solarium Commission and established via the 2021 National Defense Authorization Act (Public Law 116-283), has the potential to unify the government’s fragmented cybersecurity approach.

The director would oversee all federal agencies’ approaches to cybersecurity, including cyber-related budget requests, and would report to Congress.

The Biden administration nominated Chris Inglis, a former deputy director at the National Security Agency, for the job. The Senate Homeland Security Committee will hear from Inglis about his nomination on Thursday.

“The national cyber director can play a significant role in ensuring a one team approach,” said Cilluffo, who is also on the commission. “It has the potential to unify budgets to meet some of the discreet needs around critical infrastructure security.”

Kellie Lunney in Washington and Shaun Courtney in Washington also contributed to this story.

To contact the reporter on this story: Rebecca Kern in Washington at rkern@bgov.com

To contact the editors responsible for this story: Giuseppe Macri at gmacri@bgov.com; Zachary Sherwood at zsherwood@bgov.com