Infrastructure proposals lack plans for tackling pipeline security, cyberattacks

Lawmakers introduce legislation to prevent future hacks on critical facilities

Advanced control systems can leave infrastructure like fuel pipelines vulnerable to hackers. (Bill Clark/CQ Roll Call file photo)
Advanced control systems can leave infrastructure like fuel pipelines vulnerable to hackers. (Bill Clark/CQ Roll Call file photo)
Posted May 17, 2021 at 7:00am

Neither the Biden administration’s infrastructure plan nor the counterproposal from Sen. Shelley Moore Capito, R-W.Va., explicitly mentions cyberattacks, a topic that surged into the public eye following the May 7 hack that led to the shutdown of a pipeline system that supplies fuel to much of the East Coast.

The White House’s proposal touches frequently on strengthening electricity grids in the U.S. and shoring up the country’s power supply against natural disasters and climate change.

But the White House's 27-page summary of its $2 trillion proposal, which is not yet in legislative language, does not mention cybersecurity or hacking, or the terms “digital” or “pipeline” in a context related to cyberattacks.

The $568 billion rebuttal from GOP senators — a two-page list of broad demands for public works investment — omits cybersecurity or hacking also.

On the heels of the cyberattack that breached the Colonial Pipeline Co.'s IT systems, which led the company to close its pipeline system that supplies eastern states with about 45 percent of their petroleum-based fuels, members of Congress have introduced bipartisan legislation to strengthen pipelines and other elements of critical infrastructure from hacks and other threats.

The company shut down the main section of the pipeline late on May 7, a Friday, and alerted the Federal Bureau of Investigation, rather than the Cybersecurity and Infrastructure Agency, or CISA, according to the acting head of the agency. CISA is a unit within the Department of Homeland Security tasked with protecting hardware like pipelines, power grids and utility plants.

[Congress must pass cyber notification law, top CISA official says]

Colonial operators began restarting the pipeline Wednesday evening, and President Joe Biden, citing the FBI, said the hack emanated from people living in Russia. But he did not lay the blame with the Russian state.

“We do not believe the Russian government was involved in this attack,” Biden said. “But we do have strong reason to believe that the criminals who did the attack are living in Russia.”

Legislation

Members of Congress have also raised concerns with the Energy Department, which plays a role in pipeline security, that DOE did not include cybersecurity in its initial budget proposal for fiscal 2022. The White House has promised to release a detailed budget proposal on May 27.

With Rep. Emanuel Cleaver II, D-Mo., as lead sponsor, members of the House Homeland Security Committee introduced legislation Friday to protect pipelines from cyberattacks and terrorism. The committee said it plans to mark up the bill next week.

The legislation would designate the Transportation Security Administration and CISA as responsible for overseeing “the security of pipeline transportation and pipeline facilities.”

In a statement, Cleaver said, “The recent ransomware attack on the Colonial Pipeline, which caused the shutdown of thousands of miles of gas pipeline along the East Coast, was just the latest example of why Congress must act swiftly to harden our critical infrastructure and bolster our cybersecurity capabilities.”

The top Democrat and Republican on the committee — Chairman Bennie Thompson, D-Miss., and ranking member John Katko, R-N.Y. — are co-sponsors of the bill.

“With attacks of this nature on the rise, it’s more important than ever to strengthen our cyber resilience,” Katko said.

Homeland Security Secretary Alejandro Mayorkas said last week that ransomware attacks, in which culprits demand money from victims, have increased more than 300 percent since last year.

Also Friday, Reps. Elissa Slotkin, D-Mich., Mike Gallagher, R-Wis., Jim Langevin, D-R.I., and Andrew Garbarino, R-N.Y., introduced separate legislation that would direct CISA to create a series of cybersecurity tests that businesses and state and local governments could run to test their defenses against attacks.

Speaking on Fox News this week, Capito said the Colonial hack could be a harbinger.

“This incident is so emblematic, I think, of what the future could look like,” she said. “We have funded some of the investigative agencies on the cybersecurity side, but we probably need to get more granular with this now that we see what’s happened with the pipeline.”

Despite the absence of references to cybersecurity or digital security in its public works proposal summary, a White House official said that “cybersecurity investments are a part of the American Jobs Plan and will be integrated with the design and implementation of the investments in the electric grid and other infrastructure.”

“This will include tying specific grants to recipients’ implementation of cybersecurity goals and using tax credits to finance needed cybersecurity improvements,” the official said.

Standards

Jim Robb, CEO of North American Electric Reliability Corp., or NERC, a private sector organization that sets and enforces industry standards, pressed during a board meeting Thursday for stronger cybersecurity standards.

“It is time for policymakers to refocus on ensuring that gas infrastructure is as secure as the grid it supplies,” Robb said. The Colonial hack shows “the need for foundational security standards for an industry that is critical to reliability and national security,” he said.

Two days before the hack, the former head of CISA told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation that humans’ apparent “pathological need” for the internet to pervade their lives is allowing an “explosion” in cybercrime.

Fielding questions the day before the hack at a House Appropriations subcommittee hearing, Energy Secretary Jennifer M. Granholm said a more connected world means more targets for hackers.

“The truth is that everything that we are working on that will plug into the power grid is a potential cyberattack vector, and we need to be thinking about all of our R&D through that lens,” Granholm said, responding to questions from Rep. Mike Simpson, R-Idaho.

In its initial budget documents, DOE did not specifically talk about cyberthreats, as Simpson pointed out.

“This is not the time to take our eye off the ball when it comes to cybersecurity of our nation’s critical energy infrastructure,” Simpson said. “I was disappointed that in the — or maybe even ‘surprised’ is a better word — in the skinny budget, that cybersecurity was not mentioned.”

Granholm replied, “It is definitely a focus of ours, so don’t let that fool you. I do want to say I’m not going to be Pollyanna-ish and tell you that protecting the grid, for example, from cyberthreats is easy.”