IE 11 is not supported. For an optimal experience visit our site on another browser.

After Colonial hack, DHS issues first cybersecurity regulation for pipelines

There are few federal government requirements for pipelines to have even basic cybersecurity measures in place.
Colonial Pipeline storage tanks in Woodbridge, N.J., May 10, 2021.
Colonial Pipeline storage tanks in Woodbridge, N.J., May 10, 2021.Ted Shaffrey / AP

The Department of Homeland Security has issued the first cybersecurity regulation for the pipeline sector.

The regulation, issued Thursday morning, is part of the Biden administration’s efforts to bolster security for national infrastructure after a company that operates the largest fuel pipeline in the country was hit with a ransomware attack earlier this month.

Colonial Pipeline shut down all pipeline operations after it was hacked by a group believed to be Russian criminals, who locked some of its computers and demanded a ransom to set them free.

While Colonial was able to restart operations within five days, it had already become one of the most impactful cyberattacks in American history. The United States issued an emergency order to allow truckers to drive overtime to help transport fuel, and gas stations across the country reported outages. Colonial CEO Joseph Blount told The Wall Street Journal he quickly paid the hackers’ $4.4 million demand, but that their program to restore their systems was so slow he hired outside computer experts to do it instead.

While DHS’ Cybersecurity and Infrastructure Security Agency provides guidance to U.S. companies that handle the country’s infrastructure, there are few federal government requirements for them to have even basic cybersecurity measures in place.

Under the new regulation, roughly 100 pipeline companies will be required to keep a cybersecurity coordinator on call at all times, and to report any incident to the Cybersecurity and Infrastructure Security Agency within 12 hours. 

In a call DHS held with reporters Wednesday evening, one senior agency official, who requested to not be named as part of the terms of the call, said that pipeline companies found out of compliance with the new regulation would face escalating fines starting around $7,000.

“There are financial penalties associated with failure to comply with security directives, and those can be imposed on a daily basis, so they can ramp up pretty significantly over time,” the official said.

Bryson Bort, a cybersecurity consultant and founder of the ICS Village, a nonprofit that advocates for industrial cybersecurity, said that while he didn't expect the regulation to make the pipeline sector drastically safer, it would give the government a much clearer sense of how vulnerable it is.

"Theoretically, that will provide them data to make a better case for more funding to Congress before something like this happens again," he said.

Thursday’s regulation was only the first of several new initiatives for the pipeline sector, another official said on the press call.

"This is step one in a phased approach, and we expect that you will see in the not-too-distant future that this will be followed up with an additional set of rules that will require a range of actions to be taken by the sector,” she said.