The ransomware attack on Colonial Pipeline Co. in May 2021 has hit an industry that largely lacks federal cybersecurity oversight, leading to uneven digital defenses against such hacks.
The temporary shutdown of Colonial’s pipeline, the largest conduit for gasoline and diesel to the East Coast, follows warnings by U.S. officials in recent months of the danger of cyberattacks against privately held infrastructure. It also highlights the need for additional protections to help shield the oil-and-gas companies that power much of the country’s economic activity, cyber experts and lawmakers say. “The pipeline sector is a bit of the Wild West,” said John Cusimano, vice president of cybersecurity at aeSolutions, a consulting firm that works with energy companies and other industrial firms on cybersecurity. Mr. Cusimano called for rules similar to the U.S. Coast Guard’s 2020 regulations for the maritime sector that required companies operating ports and terminals to put together cybersecurity assessments and plans for incidents.
More than two-thirds of executives at companies that transport or store oil and gas said their organizations are ready to respond to a breach, according to a 2020 survey by the law firm Jones Walker LLP. But many don’t take basic precautions such as encrypting data or conducting dry runs of attacks, said Andy Lee, who chairs the firm’s privacy and security team. “The overconfidence issue is a serious phenomenon,” Mr. Lee said.
Electric utilities are governed by rules enforced by the North American Electric Reliability Corp., a nonprofit that reviews companies’ security measures and has the power to impose million-dollar fines if they don’t meet standards. There is no such regulatory body enforcing standards for oil-and-gas companies, said Tobias Whitney, vice president of energy security solutions at Fortress Information Security. “There aren’t any million-dollar-a-day potential fines associated with oil-and-gas infrastructure at this point,” he said. “There’s no annual audit.”
Excerpt from David Uberti and Catherine Stupp, Colonial Pipeline Hack Sparks Questions About Oversight, WSJ, May 11, 2021