The American Petroleum Institute, the top trade group for the oil and gas industry, spent years opposing federal cybersecurity regulations before the Colonial Pipeline ransomware attack. After the attack, watchdog groups say API is still opposing strong federal regulation and pushing for taxpayer “subsidies” instead.
Colonial Pipeline, one of the largest pipelines in the country, which carries 45% of the fuel from Texas to New York, was forced to shut down after a ransomware attack by the foreign cybercriminal group known as DarkSide. Cybersecurity experts believe that Colonial lacked advanced cybersecurity defenses that can monitor networks for irregularities and detect threats like DarkSide’s infiltration tools. But Colonial is not the first pipeline affected by cyberattacks and many other pipelines in the U.S. may have similar vulnerabilities.
A ransomware attack hit an unidentified natural gas facility in 2020, forcing it to shut down for two days, according to the Department of Homeland Security. The Cybersecurity and Infrastructure Security Agency said after the attack that the owner of the facility “did not specifically consider the risk posed by cyberattacks” or prepare employees to deal with one.
Federal officials have been sounding the alarm on the lax cybersecurity measures for years. Federal Energy Regulatory Commissioners Neil Chatterjee and Richard Glick warned in a 2018 op-ed that a lack of federal cybersecurity standards left energy firms vulnerable to cyberattacks. The Government Accountability Office in 2019 found that federal cybersecurity guidelines were badly out of date and lacked preparation to respond to an attack on critical infrastructure. After the Colonial attack, the cybersecurity firm Byos estimated that “less than 25% of the U.S. oil and gas industry has adequate cybersecurity in place,” according to Bloomberg News.
One of the reasons that the federal government failed to enact regulations to protect critical infrastructure before the Colonial Pipeline attack appears to be a relentless campaign against federal regulations by the energy industry and API, which has spent more than $20 million on lobbying expenditures since 2018.
Last year, API argued that “voluntary frameworks and public-private solutions, rather than prescriptive federal regulations, offer businesses the know-how and flexibility to respond to the ever-changing security landscape.” The group says its member companies believe the private sector “should retain autonomy and the primary responsibility for protecting companies’ assets” against cyberattacks.
In the aftermath of the Colonial attack, API has changed its tune only slightly, arguing that it is “premature” to discuss regulations “until we have a full understanding of the details surrounding the Colonial attack.” API CEO Mike Sommers even suggested that it was just as important to protect the industry from regulators as from cyberattacks.
“We need, of course, to take care of cybersecurity, but we also need to protect existing infrastructure from attacks from regulators and government officials who want to shut these pipelines down,” he told CNN International this month.
API has instead pushed the federal government to grant exemptions and fuel waivers to energy companies after the Colonial attack. It has also called for policymakers to invest in infrastructure for the energy industry, which already gets millions in federal subsidies.
“For policymakers, this incident should underscore the vital importance of further investment in pipeline infrastructure and expanding the delivery systems that supply the energy resources that Americans need every day,” API’s Lem Smith wrote earlier this month.
A progressive watchdog group accused the group of trying to cash in on the cyberattack.
“In the wake of dangerous cyber threats, the American Petroleum Institute is apparently angrier with the government for stepping up to stop future attacks than they are with the hackers doing the attacking,” Kyle Herrig, president of the left-leaning watchdog group Accountable.US, said in a statement to Salon. “The government has an obligation to protect American interests from cyberattacks including pipelines and other infrastructure — API treating these serious threats as a cash cow to line oil industry pockets while lobbying against the government stepping up protections shows they have the wrong priorities.”
API denied that it opposes federal regulations, pointing Salon to a more recent comment welcoming the Transportation Security Agency’s (TSA) plans to roll out a new regulation requiring companies to report cyberattacks to the government and keep a dedicated cybersecurity coordinator on call.
“Our industry works continuously with policymakers to strengthen cybersecurity, which is an economy-wide issue that requires constant collaboration and information sharing between the public and private sector,” said API Manager of Operations Security and Emergency Response Suzanne Lemieux. “API is supportive of TSA’s efforts to strengthen cyber reporting and is working closely with the administration to develop incident reporting policies and procedures that best protect our critical infrastructure, including pipelines. Any regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure.”
A spokesperson for the group told Salon that it has been working to improve the industry’s pipeline security standards since before the Colonial attack.
Cybersecurity experts, however, say stronger federal regulations are necessary to protect critical infrastructure.
Mike Chapple, a cybersecurity expert at the University of Notre Dame, said in an email to Salon that defending energy infrastructure is “of the utmost national security interest,” adding that government regulation is the only suitable response. “In the absence of regulation, companies are left to their own devices to decide what level of security is appropriate and risk/benefit trade-off decisions are left in the hands of corporate executives who are focused on the firm’s bottom-line profitability,” he said.
That focus on the bottom line is a key reason why ostm energy firms have not invested enough in cybersecurity measures. Colonial Pipeline, for example, has distributed “nearly all its profits, sometimes more” to its owners even as its “aging pipelines have suffered a series of accidents,” Bloomberg News reported this month.
“Over the years, control of Colonial Pipeline has moved away from oil and gas companies towards private equity firms and institutional investors,” Bill Caram, the executive director of Pipeline Safety Trust, a public interest nonprofit, said in an email. “These types of investors have a history of wringing every dollar of revenue out of an asset while spending as little as possible on things like safety.”
Many companies have focused on efforts to mitigate the threat of cyberattacks, Caram said, but many others have not and don’t plan to, meaning that minimum safeguards must be in place to ensure infrastructure security and protect the environment.
“The industry has been raking in profits over the years, aided by federal subsidies,” he said. “Some operators have not been effective stewards over the critical infrastructure under their charge, diverting funds away from safety and security towards share buybacks and dividends. Taxpayers should not be expected to bail out companies for their lack of responsible asset management.”
The TSA, which the digital security of pipelines, on Thursday issued its first cybersecurity regulation for the pipeline sector. Under the new regulation, about 100 pipeline companies will be required to have a cybersecurity coordinator on call at all times and report any incidents to the Cybersecurity and Infrastructure Security Agency within 12 hours. Pipelines that fail to comply with the regulation could face escalating fines starting at $7,000, a DHS official told NBC News.
But this is just a first step and broader regulation is still needed to ensure the security of key infrastructure, said Morgan Bazilian, director of the Payne Institute for Public Policy and a professor at the Colorado School of Mines.
“Robust and transparent reporting structures, assessments, and related regulations will provide a better defense strategy,” he said in an email. “The directives now being considered by Homeland Security should likely have been in place some time ago. Such approaches need to be applied across the sector and from supply through demand.”
Chapple of Notre Dame said that other industries also had lax cybersecurity before the federal government began regulating them.
“The government has stepped in and set minimum cybersecurity requirements for many other sectors, including nuclear power, health care and financial services,” he said. “It’s time to do the same thing for oil and gas pipelines.”