For the first time the Department of Homeland Security (DHS) is moving to regulate cybersecurity in the pipeline industry. The agency is responding to a computer attack on Colonial Pipeline's East Coast network that crippled nearly half of the company's fuel supply this month – an incident that highlighted the vulnerability of critical infrastructure to online attacks.
The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
The ransomware attack that led Colonial Pipeline to close its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation’s capital. Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel. The Colonial chief executive has said the company paid $4.4 million to foreign hackers to release their systems.
The cyber attack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.
According to an anonymous source within the agency who spoke to The Washington Post, failing to meet the forthcoming requirements is likely to result in financial penalties, though how much is unclear. They would have to be fairly substantial in order to change the essential calculus. As Wharton researchers point out, the average cost of a breach in 2017 was just north of $7 million — not a massive expenditure compared to say, the price tag for implementing top-notch cybersecurity across a swath of legacy systems; they also found that “in the short run, the market jumps in fright after disclosure of a breach, but in a longer period of time (even just a month), there is hardly a difference between a breached and an un-breached company.” In short: a successful breach does very little to a company’s bottom line, either through immediate costs or longer-term stock valuation changes.
In short, TSA’s new rules will need to have substantial power to inflict financial hardship, or companies probably will not have much incentive to change their lax habits. “The TSA is a great organization that has kept the flying public safe over the years,” said Brian Harrell, former DHS Assistant Secretary for Infrastructure Protection. “However, the TSA does not currently have the expertise or resources to manage a robust mandatory pipeline security compliance regime.”