FERC: Pipeline security woefully inadequate
Commenting on the Colonial pipeline outage, the chairman of the US Federal Energy Regulatory Commission (FERC) said May 20 that standards over national pipeline security were notably absent.
A ransomware attack on May 7 disrupted operations on the 8,850-km Colonial fuels pipeline that meets about half of the demand for refined products on the eastern seaboard. After paying a hefty ransom, the operating company brought the network back on line, though intermittent logistical issues remain.
Richard Glick, the chairman of the commission, said mandatory cybersecurity protocols are in place for the US power grid, but not for pipelines. Instead, that authority rests with the US Transportation Security Administration, which only has voluntary guidance available on cybersecurity.
“We need mandatory pipeline security standards similar to those applicable to the electricity sector,” Glick said.
On May 10, FERC officials said in response to the disruption that voluntary guidance proved to be clearly inadequate
“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” their bipartisan statement read.
Three years ago, Glick added, FERC officials called for the responsibility over pipeline security to be with the US Department of Energy, of which the commission is a branch. Glick said he remains supportive of that decision today.
A Russian-language group dubbed DarkSide took credit for the ransomware attack, prompting the federal government to form an emergency inter-agency task force to examine the issue.
Before the attack, a bipartisan group of senators sent a letter to energy secretary Jennifer Granholm reminding her that top officials from the intelligence, defense and power communities warned that US infrastructure is vulnerable to cyberattacks.