As eyes lock in on the federal government’s response to the cyberattack on the Georgia-based Colonial Pipeline, fast-tracking regulation would toughen any future development of critical energy infrastructure, according to API’s manager of operations security and emergency response, Suzanne Lemieux.

“Any regulatory action right now is premature,” Lemieux said during API’s Cybersecurity Preparedness briefing on May 11. “I say premature if it’s in reaction to this particular event because we’re still in the event. Ransomware affects everyone, so singling out the pipeline sector for cybersecurity standards, when we don’t even really know the details of this incident is premature.”

In order to craft regulations that will prevent an attack such as what occurred to the Colonial Pipeline, she said it is important to know all the details of what happened beforehand. That process will take time, but for immediate solutions and guidance, the oil and gas industry should follow current standards and practices.

“When it comes to pipeline cybersecurity regulations, we've always pointed to the partnership we have with the Transportation Security Administration, the guidelines that we crafted, and the standards that we've adopted as an industry,” she said.

RELATED:

Damage to Colonial Pipeline System from Cyberattack Still Unknown

In January, Jones Walker LLP published a survey of 125 midstream oil and gas company officials where 40% reported an attempted or successful data breach in the past year but only 7% updated their written security policies.

This has caused Richard Glick (D), chairman of the Federal Energy Regulatory Commission (FERC) as well as FERC Commissioner Neil Chatterjee (R) to call for a move from voluntary to mandatory cybersecurity standards.

“Over the years, we’ve seen several attempts to craft cybersecurity legislation and it is a very difficult task,” Lemieux said. “With a constant state of change of technology and the way that systems are interconnected—and since it takes several years to create regulation—our technology has outpaced that regulation.”

Before considering regulatory action, she noted cybersecurity standard API STD 1164 titled “Pipeline SCADA Security,” which provides guidance to the operators of oil and gas liquids pipeline systems for managing SCADA system integrity and security.

“While there is an increasing number of cyber threats to pipelines and other U.S. critical infrastructure that does not equate to higher vulnerability,” she said. “Pipeline companies are continually investing in their cyberinfrastructure to respond to threats and the evolving sophistication of their attackers.”

The goal of the standard is to ensure that there are “no adverse effects on employees, the environment, the public or the customers” as a result of cyber-criminal activities, she said.

API is currently editing the standard to be more current and address growing threats to pipeline systems. She noted that the oil and gas industry has vastly adopted the framework and has also worked with API on it. The updated standard is set to be released within the next few months.

“The industry has demonstrated a very solid commitment to pipeline security,” she said. “I think the active and voluntary nature of what industry has been doing over the last few years demonstrates our commitment to cybersecurity practices.”

In addition, she said there are valuable tools that have been put out by the government that operators can use to communicate threats and draw intelligence like United States Cyber Command

“We have our oil and natural gas information sharing analysis center, which interfaces with those different agency constructs,” she said. “So we do see value in these partnerships and legal frameworks that are in place that allow us to share information.”

When asked if it was impractical or too expensive to have pipeline companies build self-contained, controlled technology systems that aren’t relying on the Internet, Lemieux said there are still elements of a company’s operations that require connection.

“There are still transactions, management of shipments, and all types of operations, whether it’s just business, emails or payroll that are all so interdependent,” she said. “While you can compress certain parts of your system, you can’t compress everything in today’s modern interconnected world. It may work for OT systems, but not IT systems.”

The attack on the Colonial Pipeline begs the question: is this attack a one-off event or the kickoff of a possibly grave trend? In either scenario, the resolution will require companies to be flexible to prevent the continuance of cyber intrusion.

“We think it’s more constructive to allow companies to adapt to the changing threat environment and to and change their technology and increase it with that threat so that you have an evolution and not a fixed moment,” she said.

“We’re not anti-regulation,” she added, “but it needs to be smart, flexible and adaptive and those words don’t tend to be what regulation is.”

Comments