U.S. senators have re-introduced a bipartisan bill to protect pipeline security from cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines. The bill will also support efforts by the Department of Homeland Security to secure pipelines and related facilities.
The bill, titled “Pipeline Security Act,” is to work in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) against cybersecurity threats that jeopardize the physical security or cybersecurity of such transportation or facilities, in order to ensure the security of pipeline transportation and pipeline facilities. In addition to transporting oil, these pipelines also transport gas that heats homes and generates electricity.
Calling for the need to do more and ensure the safety of energy infrastructure, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) have established and enforced mandatory cybersecurity standards for the bulk electric system. But such comparable mandatory standards are missing for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States.
The FERC has called for mandatory cybersecurity standards for the nation’s pipeline infrastructure. “It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector, FERC Chairman, Richard Glick, said in a statement. “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”
The pipeline security legislation was re-introduced by Emanuel Cleaver II, a Democrat from Missouri, along with Committee on Homeland Security Chairman Bennie Thompson, a Democrat from Mississippi, Committee Ranking Member John Katko, a Republican from New York, and 12 members of the committee.
The new legislation is particularly timely given the recent DarkSide ransomware incident, which infected IT systems at Colonial Pipeline leading to the fuel pipeline operator shutting down operations for multiple days. The fuel pipeline company has not provided any details of the exact cause of the cybersecurity incident, the number of systems affected by the ransomware, or if any data was stolen in the cybersecurity attack.
“It’s become clear that cyber-attacks on our critical infrastructure are national security and economic threats to the homeland,” said Congressman Cleaver in a media statement. “The recent ransomware attack on the Colonial Pipeline, which caused the shutdown of thousands of miles of gas pipeline along the East Coast, was just the latest example of why Congress must act swiftly to harden our critical infrastructure and bolster our cybersecurity capabilities,” he added.
“The recent ransomware attack against Colonial Pipeline Company further highlights the threats facing our nation’s critical infrastructure and the potential cascading impacts cyber attacks can have on our economy,” said Ranking Member Katko. “With the attacks of this nature on the rise, it’s more important than ever to strengthen our cyber resilience.”
The Act seeks to explicitly codify the Transportation Security Administration (TSA) and the CISA roles in securing pipelines. The TSA has been the primary federal entity responsible for protecting against cyberattacks, terrorist attacks, and other efforts that disrupt the more than 2.7 million miles of pipelines that distribute hazardous liquids across the country.
It will also codify TSA’s Pipeline Security Station and require TSA to develop a personnel strategy for staffing it, in addition to requiring the TSA to update pipeline security guidelines within a year of enactment. It also improves mechanisms for stakeholder engagement and congressional oversight of TSA’s efforts. The Act will reinforce support for the TSA’s security mission, and increase the agency’s engagement with relevant public and private stakeholders.
Though the TSA has led the federal government’s pipeline security efforts since its inception in the aftermath of the Sept. 11th attacks, the division that carries out these critical functions has yet to be codified into law. The new Pipeline Security legislation provides permanence to the section and explicitly highlights TSA’s pipeline security responsibilities.
Under the Pipeline Security Section, it will be required to update TSA’s pipeline security guidance within one year of enactment. The bill also ensures the Pipeline Security Section is responsible for developing and maintaining security guidance to help guard pipelines against cyberattacks, terrorist attacks, and other threats, in coordination with federal, state, local, private sector, and other stakeholders. It will also conduct security assessments of specific pipelines, and issuing recommendations to pipeline operators regarding their security plans, policies, and practices.
The section will also rank the relative security risk of pipelines and inspect critical facilities. In carrying out these tasks, the Pipeline Security Division will be staffed by personnel with requisite knowledge of the pipeline industry and personnel with appropriate cybersecurity expertise.
The legislation will require the TSA to report annually to Congress regarding the activities of the newly codified Pipeline Security Section. This will include updates regarding the security guidelines, assessments, and inspections required under the bill. Within one year of enactment, TSA will also be required to consult with pipeline stakeholders to discuss security matters. Within two years of enactment, the Government Accountability Office will conduct a review of the legislation’s implementation.