Pipeline Security

Eakinomics: Pipeline Security Washington doesn’t do everything thing well, but you can’t beat it at closing the barn door after the horses have bolted. The cyberhack of the Colonial Pipeline was a real economic attack. The pipeline stretches over 5,000 miles and carries gasoline, diesel fuel, and jet fuel. The 11-day halt in operation resulted in fuel shortages along the Eastern Seaboard and 16,000 filling stations failed to receive fuel. Now, the Washington Post is reporting that “The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast’s fuel supply this month….” That’s right, the Transportation Security Administration (TSA) – the very same folks that are your friendly airport greeters – will “issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said.” But TSA is not done. There will be additional rulemaking. “The new rules, expected in the coming weeks, will require companies to correct any problems and address shortcomings or face financial penalties, officials said.” Meanwhile, as explained by AAF’s Ewelina Czapla, “the U.S. House Committee on Energy and Commerce reintroduced bipartisan legislation, the Pipeline and LNG Facility Cybersecurity Preparedness Act, which would create a new office to addresses pipeline security at the Department of Energy.” Notice, however, that the Department of Homeland Security already has jurisdiction over cybersecurity and pipelines, so this may prove to be a redundancy. And what will this redundant office do? It will gather information, develop best-practice protocols, and even create new computer programs that will fight cyberattacks. The real question is how does any of this make the Colonial Pipeline more secure against cyberattack? If Colonial did not have a good feel for the risks it faces, the $4.4 million in ransom it paid presumably brought it an appropriate understanding of the return to investments in preventing cyberattacks. And the techniques and tools for doing so are available in the private sector. If the incentives are in place and the means are at their disposal, just what, exactly, will new offices, programs, and reporting requirements do?