The Congressional Research Service (CRS) released a report that analyzes cyber security risks that exist in the pipeline network, which is vital to the economy and integral to the nation’s energy supply, with links to power plants, refineries, airports, and other critical infrastructure sectors. Pipeline companies employ technologies that enable them to achieve business and operational efficiencies, but these technologies are susceptible to cybersecurity risks—and these risks have been growing. These potential cyber security risks can target control systems and information technology, as well as launch ransomware attacks.
Attacks against operational technology (OT) can cause physical disruptions that increase the probability of pipeline failure and environmental damage, while some attacks to IT such as ransomware can have an effect on OT as well if they spread to those systems or the company opts to shut down its OT to prevent further damage, as was witnessed in the recent Colonial Pipeline attack in May.
OT enables cyber-physical linkages which allow dispersed equipment to be centrally monitored and controlled. OT includes industrial control systems (ICS), such as supervisory control and data acquisition (SCADA) systems, distributed control systems, and programmable logic controllers, according to the CRS report. IT and OT both may be coupled with Internet of Things (IoT) devices. The complexity of simultaneously operating both types of systems can create novel opportunities for malicious actors to gain access and manipulate systems.
The CRS serves as shared staff to congressional committees and members of Congress. Its experts assist at every stage of the legislative process — from the early considerations that precede bill drafting, through committee hearings and floor debate, to the oversight of enacted laws and various agency activities.
The report identified five specific issues that have raised concern and may warrant further congressional consideration. These include TSA’s pipeline cybersecurity resources, nature of federal cybersecurity standards, roles and coordination among federal entities involved in pipeline cybersecurity, uncertainty about cyber security risks to the nation’s pipeline network, and coordinating a national pipeline strategy.
The CRS report examines the federal role in protecting natural gas, oil, and refined products pipelines from cyber threats, including the agencies involved and their pipeline cybersecurity activities, and looks into the federal response to the Colonial Pipeline cyberattack. It also provides an overview of selected issues for Congress, including legislative proposals to change federal pipeline security programs.
The cybersecurity of the nation’s energy pipelines was brought into focus after the Colonial Pipeline cybersecurity incident. A July report from the House Committee on Homeland Security stated, “as illustrated by the May 2021 Colonial Pipeline attack, the need for the Federal government to raise the bar on cybersecurity among pipeline operators is particularly acute.”
After this, several bills in the 117th Congress were introduced in the area of federal pipeline cybersecurity programs. These include the Pipeline Security Act (H.R. 3243), the Pipeline and LNG Facility Cybersecurity Preparedness Act (H.R. 3078), and the Promoting Interagency Coordination for Review of Natural Gas Pipelines Act (H.R. 1616), the CRS report said. In addition, the Colonial Pipeline incident has led to changes in the government’s oversight of pipeline cybersecurity under existing statutory authorities.
As part of the second security directive issued in July, TSA-designated critical pipeline owners and operators that transport hazardous liquids and natural gas are required to enforce several urgently needed protections against cyber intrusions, according to the report. The security directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and OT systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review, according to a statement released by the TSA.
The CRS report also analyzes the two agencies within the Department of Homeland Security that have primary responsibility for pipeline cybersecurity, the Transportation Security Administration (TSA) and the Cybersecurity and Infrastructure Security Agency (CISA). TSA has had regulatory authority for security across the transportation sector, including pipelines, for two decades. For most of this time, TSA relied on voluntary pipeline cybersecurity guidance and best practices. The agency recently imposed mandatory requirements for pipeline cybersecurity after the Colonial Pipeline attack, when it issued two cybersecurity directives.
CISA has more extensive cybersecurity capabilities and provides technical expertise to assist both TSA and industry partners in improving cybersecurity. CISA has conducted cyber risk assessments of pipeline operators and has received cybersecurity incident reports from companies under the TSA’s pipeline cybersecurity directives.
Other federal entities also are involved with pipeline cybersecurity, the report said. They include the Department of Transportation’s Pipeline and Hazardous Materials Safety Administration, which is the nation’s pipeline safety regulator and partners with TSA on security issues, and the Department of Energy’s (DOE’s) Cybersecurity, Energy Security, and Emergency Response office, which is congressionally mandated to research cyber security risks and coordinate federal response to energy sector cyber incidents.
The Government Accountability Office, federal agencies, and industry stakeholders have raised several specific pipeline cybersecurity issues of ongoing interest to Congress, including resources, standards, agency rules, and threat information.
TSA resources devoted to pipelines (and cybersecurity thereof) have been small relative to its other priorities such as aviation. TSA officials have testified that the agency will increase staffing in fiscal years 2021 and 2022, but it is uncertain whether the increases will be sufficient to manage cyber risk, the CRS report said. With the issuance of TSA’s directives, questions around cybersecurity standards have arisen. TSA is requiring process standards such as having a process to report incidents, rather than design standards like prescribing a technical specification for user access controls. The sufficiency of this approach is under debate.
Whether other federal agencies should have responsibility for pipeline cybersecurity has been under discussion. For instance, some have argued for the DOE to expand further into pipeline cybersecurity, or for the Federal Energy Regulatory Commission (FERC) to regulate pipeline operators, the CRS report pointed out. The quality, quantity, and timeliness of cybersecurity risk information originating with the government and being shared with the private sector continue to be an area of focus, according to the CRS report. In addition to these specific issues, Congress may want to assess how the various elements of U.S. pipeline cybersecurity and critical infrastructure security will fit together most effectively in the nation’s overall strategy to protect critical pipelines.
The CRS report said that pipeline security necessarily involves various groups, such as federal agencies, pipeline associations, large and small pipeline operators, and the broader industrial cybersecurity community. Reviewing how these groups work together to achieve common goals could be an overarching challenge for Congress.