(Bloomberg) -- The federal agency charged with protecting the nation’s pipelines hasn’t imposed any mandatory cybersecurity requirements since its creation in wake of the Sept. 11, 2001 terrorist attacks -- despite dire warnings from the intelligence community about vulnerability to hackers.
Instead, the U.S. Transportation Security Administration’s Pipeline Security Branch, which oversees nearly three million miles of pipelines, has relied on voluntary best practices and self-reporting by the industry to secure the operations. Those measures have alarmed pipeline safety advocates and been criticized as inadequate by government regulators and lawmakers.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Richard Glick, chair of the Federal Energy Regulatory Commission said in a statement. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”
FERC has used authority it received under a 2005 law to set robust cybersecurity standards for the electric grid, but its power does not extend to pipelines. The Pipeline Security Branch can impose mandatory cybersecurity rules “if the agency determines that regulations are appropriate,” according to the Congressional Research Service. The industry has opposed such measures.
The approach of the Pipeline Security Branch, which had just 34 full-time staff positions, has been the subject of criticism by the Government Accountability Office, which said in a 2018 report it found “significant weaknesses” in the agency’s management of pipeline security.
Colonial Pipeline Co. on Friday halted operations on the 5,500-mile (8,851.4 kilometers) pipeline system, a critical supply of gasoline and other refined products to New York and other cities along the east coast, after it fell victim to a ransomware attack by hackers.
The Alpharetta, Georgia-based company has said it’s manually operating a segment of the pipeline running from North Carolina to Maryland and expects to substantially restore all service by the weekend. The pledge may not come fast enough to avert immediate shortages in the U.S. Southeast, where gas stations have reported selling out of fuel.
Cybersecurity experts and government officials have warned for years about the consequences of a pipeline hack, including in 2019 when a report by the Office of the Director of National Intelligence Daniel Coats warned that a cyber-attack could disrupt a pipeline “for days to weeks.”
“It absolutely is a problem,” said Rebecca Craven, program director for the Pipeline Safety Trust, a Bellingham, Washington-based watchdog group. “These are lines running through communities handling hazardous materials and the public needs to be aware of threats to him.”
In a statement, the Transportation Security Administration said the security unit had increased its staff to 34 from six in 2018 but did not respond to a question about whether it planned to issue mandatory cybersecurity regulations.
“Through public and private partnerships and continued expansion of staffing and resources, TSA works tirelessly to enhance pipeline security measures,” the agency said. “TSA will continue to work in close coordination with government and pipeline partners to evaluate the key factors garnered from the cyber incident and determine opportunities to reduce and mitigate risk across the sector.”
A spokeswoman for the gas industry also defended the approach.
“TSA Pipeline Security Guidelines act as a floor, whereas mandates provide a ceiling,” said Kimberly Denbow, a managing director with the American Gas Association, which represents companies like pipeline operator Enbridge Inc. and utility Duke Energy Corp. “No regulation is faster than our adversaries’ ability to circumvent it. As soon as a mandatory compliance scheme is developed, it’s obsolete.”
A lack of qualified inspectors -- the agency had just one in 2014, according to the GAO -- had left the agency unable to make a comprehensive review of pipeline security, the 2018 GAO report said. The report also found “a lack of clear definitions” about what constituted a “critical facility” for which extra security should apply.
That had led one-third of the nation’s top 100 pipeline systems to report they had identified no critical facilities.
“It’s clear from GAO’s work that while pipelines are reliable today, the Transportation Security Administration is not fully prepared to face the challenges of tomorrow,” Washington Senator Maria Cantwell and New Jersey Representative Frank Pallone, both Democrats, wrote in a letter to the Department of Homeland Security at the time. “I’m concerned that TSA lacks both the resources and expertise in energy delivery systems to keep up with its obligations under the law.”