Colonial hack exposed government’s light-touch oversight of pipeline cybersecurity
The TSA is reversing its hands-off approach to overseeing pipeline cybersecurity in the wake of devastating ransomware attack on critical U.S. infrastructure
Three times over the past year, Colonial Pipeline and the Transportation Security Administration discussed scheduling a voluntary, in-depth cybersecurity review — an assessment the federal agency began doing in late 2018 to strengthen the digital defenses of oil and natural gas pipeline companies, according to a company official and an industry official familiar with the matter.
But no such review of Colonial’s systems has occurred, according to a Colonial spokesman. And the pipeline company has previously told federal officials it wants to first complete a headquarters move to a new building — probably in November — though the spokesman, Kevin Feeney, said on Friday that it may allow a review sooner.
It’s unknown whether the government-run cybersecurity assessment would have helped Colonial avert the ransomware attack that locked up some of its computer systems this month — and led the company to shut down its entire pipeline, leaving large swaths of the East Coast with fuel shortages.
But a range of current and former officials and cybersecurity experts say the company’s ability to avoid a government review underscores how a voluntary, arms-length approach by federal officials over nearly two decades has left key elements of the nation’s critical infrastructure at risk.
“I’m very concerned whenever I see a lack of urgency given the potential threats we face,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus. “You’re leaving so many areas exposed by not having a review — and addressing at least the vulnerabilities that you can identify.”
Now, in the attack’s wake, the Department of Homeland Security, which houses the TSA, is reversing course, scrapping two decades of a voluntary regime for pipeline cybersecurity and moving for the first time to mandatory rules.
