Breach Notification , Fraud Management & Cybercrime , Governance & Risk Management

Colonial Pipeline Attack Leads to Calls for Cyber Regs

Lawmakers, Others Say Ransomware Attack Demonstrates Need for Enhanced Security
Colonial Pipeline Attack Leads to Calls for Cyber Regs
Photo: Orbital Joe via Flickr/CC

The ransomware attack against Colonial Pipeline Co., which has disrupted the flow of gasoline and other petroleum products throughout the eastern U.S. since Friday, is prompting members of Congress to call for new cybersecurity regulations.

See Also: Live Webinar | A Buyers' Guide: What to Consider When Assessing a CASB

Several lawmakers have called for national breach notification laws that would require businesses and government agencies to report when they are victims of an attack. Lawmakers have also started to pose questions to regulatory agencies that oversee cybersecurity in the gas and oil industry.

In the meantime, the Biden administration is preparing to focus more on security in the oil and gas industry.

Beyond SolarWinds

Before the pipeline incident, the SolarWinds supply chain attack had led Republican and Democratic lawmakers to push for more expansive measures to address a host of cybersecurity concerns. These include expanding the role of the Cybersecurity and Infrastructure Security Agency and implementing new regulations for critical infrastructure, especially the nation's electrical grid.

The Biden administration plans to issue executive orders designed to help improve the nation's cybersecurity posture. These will likely address how federal agencies buy and use software and steps that can be taken to improve the supply chain.

Now, lawmakers and the White House are turning their attention to oil and gas firms in the wake of the Colonial Pipeline ransomware attack and questioning whether the industry needs greater cybersecurity oversite (see: Rise of DarkSide: Ransomware Victims Have Been Surging).

The FBI says the Colonial Pipeline attack used the DarkSide ransomware variant called DarkSide. The incident has interrupted service for the firm's customers throughout the southern and eastern U.S. through a pipeline system of more than 5,500 miles. The company's stated goal is to "substantially" restore its fuel transport services by the end of this week.

Breach Notification Law

U.S. Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, said Wednesday the ransomware attack against Colonial Pipeline, along with the attacks against SolarWinds and vulnerable on-premises Microsoft Exchange email servers, should prompt Congress to pass a national data breach notification law. Previous efforts to enact such legislation have failed.

"These cyberattacks threaten the safety of our nation, the stability of our supply chains, and even the well-being of the American people," Warner said. "They also point to the need to rethink our nation's defenses - from how we manage and secure the supply chain all the way through how government agencies manage their defenses. We need a mandatory reporting system in place to ensure that private companies report cyberattacks in real time. And our committee is working on legislation that will do just that."

Sen. Mark Warner is calling for a national breach notification law.

At a Tuesday hearing of the Senate Homeland Security and Governmental Affairs Committee Tuesday, Sen. Gary Peters, D-Mich., chairman of the committee, and Sen. Rob Portman, R-Ohio, the ranking member, said Congress should consider updating the 2014 Federal Information Security Modernization Act to ensure that federal agencies report when they are victims of attacks (see: CISA Awaits Technical Details on Colonial Pipeline Attack).

Peters and Portman are also pushing a new bill called the Cyber Response and Recovery Act, which would require the secretary of the Department of Homeland Security to declare a "significant cyber incident" when there is a major breach or attack on a public or private network.

Regulatory Focus

Other lawmakers have turned their attention to the federal agencies that regulate the oil and gas industry, including the Transportation Security Administration. The TSA has jurisdiction over interstate pipelines.

In 2018, the Government Accountability Office released a report that criticized the TSA's pipeline security oversight and noted that an attack on a pipeline can have far-reaching consequences.

"Given that many pipelines transport volatile, flammable, or toxic oil and liquids, and given the potential consequences of a successful physical or cyberattack on life, property, the economy and the environment, pipeline systems are attractive targets for terrorists, hackers, foreign nations, criminal groups and others with malicious intent," the GAO report noted.

On Tuesday, Rep. John Katko, R-N.Y., the ranking member of the House Homeland Security Committee, wrote a letter to Acting CISA Director Brandon Wales asking for an update on the agency's pipeline cybersecurity initiative, which is run in conjunction with the TSA and the Department of Energy.

Katko asked about the status of a program called the Validated Architecture Design Review, which was created to detect vulnerabilities in pipeline systems. He inquired about how many reviews have been conducted, whether Colonial Pipeline and similar companies have been scrutinized, and what steps have been taken to mitigate any vulnerabilities identified.

"In the wake of the Colonial Pipeline ransomware incident, ensuring the success, growth and effectiveness of the pipeline cybersecurity initiative is more important than ever before," Katko noted in the letter, asking for a briefing about the program by June 1.

In the meantime, Rep. Yvette Clarke, D-N.Y., chair of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, said Tuesday that she plans to hold hearings about the Colonial Pipeline attack.

President Joe Biden on Monday noted that the White House has already implemented a 100-day plan to improve cybersecurity within the nation's electrical grid and a similar program the oil and gas industry will now follow. The president also noted that many of these security decisions are left to private companies.

"My administration is also committed to safeguarding our critical infrastructure … much of which is privately owned and managed, like Colonial," Biden said.

A Call for Standards

On Monday, Richard Glick, the chairman of the Federal Energy Regulatory Commission, which oversees natural gas and gas pipeline transmissions in the U.S., called for mandatory and uniform cybersecurity standards for the gas and oil industry.

"It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector," Glick says. "Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend."

Megan Stifel, the executive director of the Americas for the Global Cyber Alliance, is urging Congress to review a report released this month by the Institute for Security and Technology's Ransomware Task Force, which offers nearly 50 recommendations and a framework to tackling ransomware.

"Given the emerging details that DarkSide is associated with a number of other attacks in recent months, both the reporting and ransomware framework recommendations would help to reduce these risks by better informing hygiene and network defense practices as well as enhance investigative efforts," Stifel says.


About the Author

Scott Ferguson

Scott Ferguson

Managing Editor, GovInfoSecurity, ISMG

Ferguson is the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.