Colonial Pipeline Co. last year didn’t undergo a requested federal security review of its facilities and was in the process of scheduling a separate audit of its computer networks when hackers hit on May 7.
The ransomware attack led to a six-day shutdown of the East Coast’s largest conduit for fuel, sparking scrutiny of pipeline security and pushing the Department of Homeland Security to prepare to issue first-of-their-kind cybersecurity regulations for the sector.
It is unclear if an assessment by the Transportation Security Administration, a division of DHS that oversees pipeline security, would have uncovered digital weak points exploited in a hack that U.S. officials attributed to a criminal group known as DarkSide.
A Colonial spokesman said the company offered to undergo a virtual review of its facilities, rather than a typical in-person audit, when TSA officials requested the security check last year. The company had protocols in place at the time to limit employees’ exposure to the coronavirus pandemic, he said.
“We offered to hold this review virtually—as we did with other agencies—but the facility review did not occur,” he said.
The spokesman didn’t comment on why the audit never took place. Representatives for the TSA had no immediate comment.
Colonial has been in contact with TSA officials since March for a separate assessment of its networks, the spokesman said, adding that the company aims to accommodate that request after it has fully recovered its computer systems and completed an investigation of the recent hack.
Officials from Colonial and the TSA have discussed last year’s missed security review in a series of briefings in recent weeks with the U.S. House Homeland Security Committee, according to people familiar with the matter. Colonial Chief Executive
who told The Wall Street Journal last week that he decided to pay hackers a roughly $4.4 million ransom to help restore the company’s computer systems, is slated to testify before the committee on June 9.
Some lawmakers and cybersecurity experts criticized pipeline security standards after the Colonial hack, as many drivers panic-bought gasoline and caused supply shortages in some areas along the East Coast.
While electric utilities face federal cyber requirements, mandatory audits and potential seven-figure fines for violations, regulators have taken a hands-off approach to pipelines and allow companies to set many of the terms of their own oversight.
Some cyber experts say the voluntary compliance has contributed to uneven security investments by pipeline companies, which have digitized more of their systems in recent years to improve efficiency.
The fallout from the Colonial hack has spurred regulators into action.
DHS officials this week said the department is preparing to issue cyber regulations for the pipeline sector in the hope of preventing such attacks. The pending rules would require pipeline companies to report when they are targeted by hackers and to bolster their security measures, The Wall Street Journal reported Tuesday.
The regulations come alongside efforts by the Cybersecurity and Infrastructure Security Agency to counter the growing threat of ransomware across the U.S. economy.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” a DHS spokeswoman said Tuesday. “TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
TSA has guidelines for how companies can tighten access to their systems, improve visibility of potential threats and respond to incidents. Officials with the agency’s pipeline security branch also conduct voluntary reviews of corporate security policies and on-site assessments of facilities that companies deem critical.
The Colonial spokesman said the TSA in 2018 completed security assessments that included three facility reviews and an audit of its security policies.
The TSA team that oversees such work has lacked sufficient cybersecurity expertise and staff for much of the past decade, according to a 2019 Government Accountability Office report. That has hampered pipeline security oversight, the watchdog said, adding that the TSA reviewed corporate security policies of fewer than 10 of the country’s 100 most critical pipeline systems annually from 2013 to 2017.
A TSA spokeswoman said earlier this month that the agency has expanded its pipeline security branch to the equivalent of 34 full-time staffers, up from six in 2018.
Write to David Uberti at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8