Pipeline Hack Spurs Focus on Other Infrastructure Cybersecurity

  • Lawmakers raise need for mandatory cybersecurity requirements
  • Transportation deputy pledges coordination across agencies

The ransomware attack on Colonial Pipeline Co. demonstrated why cybersecurity defenses need to be “a core priority” for critical infrastructure, Deputy Transportation Secretary Polly Trottenberg told lawmakers.

A cyberattack last week shut down the country’s largest gasoline pipeline for six days. Trottenberg said it had been a good “learning experience,” reminding the administration of the importance of partnering with private companies to protect critical infrastructure beyond traditional threats, such as extreme weather events.

“The cyber attack on the Colonial pipeline has showed us kind of the two worlds coming together: cybersecurity and physical infrastructure,” Trottenberg said at a Thursday hearing of the Senate Appropriations transportation subcommittee. “Not only do all the government agencies need to be working together, but we need to be working closely with the private sector as well.”

Colonial Restarts After Cyberattack But Fuel Curbs to Linger

Photo: Sarah Silbiger/Bloomberg via Getty Images
Deputy Transportation Secretary Polly Trottenberg speaks during a Senate Appropriations subcommittee hearing on May 13, 2021.

Subcommittee ranking member Susan Collins (R-Maine) said the pipeline issue demonstrated the need for mandatory reporting requirement, and for U.S. critical infrastructure to be resilient against such attacks.

About 85% of critical infrastructure in the U.S. is privately owned and operated, Collins said, pointing to the need for more cooperation and reporting between public and private sectors. The Federal Emergency Management Administration identifies certain transportation systems, water facilities, chemicals, and a variety of other sectors as critical infrastructure.

Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

‘Different Pieces of the Puzzle’

Sen. Brian Schatz (D-Hawaii), chair of the subcommittee, said no federal agency sets mandatory cybersecurity standards for the country’s pipelines.

Within the Homeland Security Department, the Transportation Security Administration’s pipeline security branch has relied on voluntary best practices and industry self-reporting to secure pipeline operations.

U.S. Pipeline Watchdog Rebuffed Call for Cybersecurity Rules

“The recent events of the Colonial Pipeline also highlight the need to incorporate cybersecurity into our resiliency framework,” Schatz said.

Sen. Jack Reed (D-R.I.) said the pipeline hack revealed the complex regulatory structure for pipelines.

“Different agencies sort of have different pieces of the puzzle,” Trottenberg responded. “We need to be integrated.”

She said the Departments of Energy, Defense, Transportation, and Homeland Security worked together on the recent pipeline attack, and President Joe Biden directed the entire administration to continue work on the issue of cybersecurity. Biden signed an executive order on Wednesday to improve federal cybersecurity.

“We want to make sure agencies bring their relevant expertise to the table, but that we’re not stovepiped,” Trottenberg said.

To contact the reporter on this story: Lillianna Byington in Washington at lbyington@bloombergindustry.com

To contact the editors responsible for this story: Sarah Babbage at sbabbage@bgov.com; Anna Yukhananov at ayukhananov@bloombergindustry.com

Top