U.S. pipeline infrastructure is more vulnerable to cyberattacks than desirable because of insufficient oversight in the cybersecurity department, a report commissioned by two members of Congress has suggested.
Reuters reported this week that the report, requested by Senator Maria Cantwell and Representative Frank Pallone and conducted by the General Accountability Office, revealed the Transport Security Administration, a unit of Homeland Security, does not have a procedure in place that can be used to update cybersecurity standards for pipelines. These updates are necessary to reflect revisions in cybersecurity standards that are seen by experts in the field as essential.
Indeed, the cybersecurity field is a very dynamic one, with attackers unfortunately proving repeatedly they are not just keeping up with cybersecurity efforts but sometimes even being a step ahead of them. This is what necessitates updates to existing standards, and an update implementation procedure that makes for fast adoption of these updates.
Oil and gas pipelines are critical infrastructure and as such they are among the top targets of cybercriminals, according to experts. What the report by the GAO found was that the Transport Security Administration trusted pipeline operators to evaluate their networks and report whether they have critical facilities that could become a target for cybercriminals.
That’s not good enough to say the least: the TSA collected the self-evaluations in order to classify parts of operator’s networks as more or less vulnerable, but it turned out that as much as a 33 percent of the operators of the 100 biggest pipeline systems in the United States denied having critical facilities. What’s more, the Transport Security Administration did not verify the information supplied by pipeline operators.
“Protecting our pipelines, and the people who live and work near them, must be a top priority for our government and I hope this report will prompt the Trump administration to start treating this challenge with the urgency it deserves,” Senator Cantwell said in a release following the report.
Pipeline cybersecurity is certainly a top concern, especially with the growing automation and digitization of various functions that gives cybercriminals more potential entry points into a network. Work is being done but, if we are to believe the GAO report, not enough, which is the case for other industries as well in the opinion of most cybersecurity professionals.
Still, earlier this month, the Transport Security Administration released a Cybersecurity Roadmap that covered all transportation sectors, including pipelines. In a recent overview of the situation in Lexology, Norma M. Krayem noted that unlike other comparable industries, pipeline networks have so many agencies overseeing them, a debate about which of them should be in charge of cybersecurity has slowed down the actual implementation of cybersecurity measures.
The roadmap, Krayem said, was the document that put an end to the debate: the TSA is the agency in charge of the cybersecurity and physical security of pipeline systems, so that’s one thing that is settled. Now, what remains is the more important task: put actual cybersecurity standards and procedures in place to secure this part of the U.S. critical infrastructure.
Credit: OilPrice, GAO, DHS
© De Angelis & Associates 2019