Biden Official Endorses Effort to Move Pipeline Cybersecurity Regulation to DOE

WOODBINE, MD - MAY 13: In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021 in Woodbine, Maryland.

WOODBINE, MD - MAY 13: In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021 in Woodbine, Maryland. (Photo by Drew Angerer/Getty Images)

An emergency directive from the Transportation Security Administration following the Colonial Pipeline attack faced opposition from Senate Republicans after the industry complained they weren’t sufficiently consulted beforehand.

The Biden administration’s current approach to securing pipelines from cyberattacks is not ideal, according to the chairman of the Federal Energy Regulatory Commission, testifying Wednesday in support of legislation that would create a new entity at the Department of Energy for that purpose.

Congress and the administration zoomed in on cybersecurity for pipelines after a ransomware attack on Colonial Pipeline disrupted fuel supplies along the East Coast in May. After the incident, Colonial Pipeline CEO Joseph Blount said cybersecurity mandates the Transportation Security Administration was preparing to roll out in response could be helpful.  

But after TSA released its directive requiring specific cybersecurity controls for the sector, three top Republican senators wrote a letter of concern to the inspector general for the Department of Homeland Security where TSA is housed. They asked that he investigate the agency’s motives and the level of consultation they did with industry in advance of issuing the directive, which the industry criticized for being overly prescriptive.    

Democrats on the House Energy and Commerce Committee think they have the solution. Legislation proposed by Rep. Bobby Rush, D-Ill., chairman of the committee’s panel on energy, would create a new self-regulatory entity that would operate with sign-off from FERC, an independent agency within DOE. The “Energy Product Reliability Organization” would be formed in the mold of the North American Electric Reliability Council

NERC is made up of industry stakeholders who shape and enforce their own Critical Infrastructure Protection, or CIP, standards for the electricity sector. Pipelines for the transport of oil and gas are not covered there.   

“Given that this proposed energy product reliability organization is essentially modeled on the electric reliability organization, do you think that the industry led stakeholder process established by Chairman Rush's legislation would likewise be a successful mechanism for protecting the reliability of the oil and gas infrastructure?” Committee Chairman Frank Pallone, D-N.J., asked FERC Chairman Richard Glick. 

“I believe so,”Glick said. “The electricity model has worked very well … and I believe a similar model will work with pipeline reliability.”

Also testifying at the hearing, DOE Deputy Secretary David Turk joined Glick in arguing that a longer term regulatory framework—as opposed to the emergency directive that TSA would have to renew after one year—would be more appropriate. Turk added that cybersecurity should be considered as part of reliability for the sector in general, as well as that of other parts of the larger energy generation and delivery apparatus.  

“Electricity is certainly tied hand in hand with natural gas and with other parts of the energy system and we need to be thinking of cybersecurity and reliability and resilience all together and throughout the value chain, and throughout multiple value chains as well,” Turk said. “[The TSA directive] doesn't cover refineries, it doesn't cover other parts of the chain and it's only for a year.”

There is not yet any corresponding legislation listed for the Rush bill on the Senate side, but the chair and ranking member of the Senate Commerce Committee have both stressed the importance of private-sector input in governing cybersecurity in the space.

“Electric companies are working overtime to protect their systems, but the federal government should be part of the solution,” Sen. Maria Cantwell, D-Wash., said during a hearing last summer on the Colonial Pipeline attack. She suggested the government's role should be focused on helping companies appropriately invest in their security. 

“We need to bring about critical infrastructure investments in technology that can help the electricity grid and companies secure their networks from these kinds of intrusions,” she said. “For example, helping utilities install fiber optic technologies to run along their transmission lines, helping them to create closed communications networks using dedicated fiber links for grid monitoring and control that will insulate the electric grid from these cyber-attacks.”