Pipeline firms seek to avoid cybersecurity mandates, despite Colonial hack

Scott Tong May 17, 2021
Heard on:
HTML EMBED:
COPY
Electric power companies and airlines are required to report cybersecurity threats to the government. Why are pipeline companies exempt? Jim Watson/AFP via Getty Images

Pipeline firms seek to avoid cybersecurity mandates, despite Colonial hack

Scott Tong May 17, 2021
Heard on:
Electric power companies and airlines are required to report cybersecurity threats to the government. Why are pipeline companies exempt? Jim Watson/AFP via Getty Images
HTML EMBED:
COPY

On the heels of the Colonial Pipeline hack, which forced a six-day shutdown of a critical gasoline and diesel artery, Congress is pushing forward a pipeline security bill. But to critics, the legislation lacks key safeguards, namely government mandates.

When something goes wrong with a pipeline that endangers its essential function — like the Colonial Pipeline hack — companies do not have to tell the government what happened. Yet electricity companies do, as do airlines.

When an airplane incident occurs, commercial carriers are required to open up to government investigators.

“They would be doing everything they could to understand what happened, and then they would rapidly be sharing that information with other airlines, so those airlines could prevent the same thing from happening to them,” said Rob Knake, a former cybersecurity director in Barack Obama’s White House and senior fellow at the Council on Foreign Relations. “That’s not at all what’s happening with this pipeline incident.”

Instead, companies themselves decide how to protect their data and only voluntarily share information with other companies in the sector and the Transportation Security Administration. No government mandates or fines, just recommendations.

And the bill that moves forward in Congress on Tuesday would keep it that way.

However, a recent survey of pipeline companies found that just 8% actively share info with the rest of the industry and the government.

“That’s a woefully low number,” said Andy Lee, a partner at the law firm Jones Walker who oversaw the survey. “There’s not enough carrots, and there are too few sticks, to ensure that our pipeline industry stakeholders are actively engaging in the budget spend to make sure that they are safe.”

This isn’t a new fight. Nine years ago, oil and gas lobbyists fought off mandatory rules, and today energy trade groups are again arguing that the industry should oversee itself.

“The IPRO model enables pipelines to volunteer for an appropriate level of scrutiny,” Jim Hoecker, co-founder of the International Pipeline Resilience Organization, said in a statement posted on the organization’s website.

But Mark Weatherford, chief strategy officer at the National Cybersecurity Center, a nonprofit that advises government officials, is dubious.

“I am not a fan of regulation,” said Weatherford, who is also chief information security officer at AlertEnterprise. “And I hate to say it like this, but it’s been proven over and over and over again that companies are simply not going to self-regulate.”

As of Monday, more than 11,000 gas stations across the Southeast remain out of gas, according to GasBuddy. That includes over half the stations in North Carolina and nearly 70% of those in Washington, D.C.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.