Granholm expresses openness to pipeline cyber standards after Colonial attack

Energy Secretary Jennifer Granholm on Wednesday threw her tentative support behind the idea of mandatory standards to secure pipelines in the wake of the debilitating ransomware attack on Colonial Pipeline earlier this month.

When asked by House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) during a hearing whether pipelines should be subject to similar strict mandatory security standards that the electric sector is, Granholm testified that the U.S. is currently “inadequate” on pipeline security.

“I think that this is an example potentially of that,” Granholm said of the attack on Colonial Pipeline. “If we had had standards in place, would this particular ransomware attack have been able to happen? You know, I’m not 100 percent sure.”

“I do know that having good cyber hygiene on the private side as well as on the public side is a critical basic defense, and for entities that provide services to the public like that, especially critical services like energy, I think it’s an important consideration for this committee for sure,” she added.

She also pointed to the fact that the Federal Energy Regulatory Commission (FERC) has established cybersecurity standards for the electric grid and suggested that the federal government could do the same for pipelines, boosting current Transportation Security Administration (TSA) authorities.

“FERC issued mandatory cybersecurity standards for electricity for electricity owners and operators … TSA has voluntary guidelines, and one wonders whether it’s time we match what we’re doing on the electric side with what we’re doing on the pipeline side,” she said.

Granholm’s remarks appear to differ from those made by President Biden last week on cybersecurity standards, in which he rejected the idea of mandated cybersecurity standards. 

“The bottom line is that I cannot dictate that the private companies do certain things relative to cybersecurity,” he said at the time. 

The hearing came a week after Colonial Pipeline began to restart operations following a devastating ransomware attack earlier this month on its IT system, with the company temporarily shutting down the pipeline to protect operational controls. 

Colonial Pipeline CEO Joseph Blount confirmed to The Wall Street Journal on Wednesday that the company paid the hackers, who President Biden said last week were likely based in Russia, the equivalent of $4.4 million to regain access to encrypted systems and get the pipeline up and running again. 

Colonial provides around 45 percent of the East Coast’s fuel, and gas shortages were seen in multiple states last week.

Some of Granholm’s comments on Wednesday appeared to be more directed toward Congress than the Biden administration. 

During the hearing, she expressed support for increased incentives for private entities to improve their own cybersecurity systems. 

“We also need an investment in cyber on the oil and gas pipelines as well,” she said. “The question is, who pays for that investment?” 

“Are there incentives that could be considered by this committee, by this Congress, to have the private companies up their game with respect to installing software that protects them? Those are all great questions for this committee,” she continued. 

Granholm is not the only official to back the idea of further standards for the pipeline sector.

Pallone stressed during his opening remarks that he was “concerned” that TSA’s pipeline security program “lacks the resources and expertise” necessary and that the federal government should do more. 

“I believe it’s time that we consider mandatory, enforceable reliability standards for our nation’s pipeline network,” Pallone testified. “We have to ensure our nation’s energy infrastructure is not just secure, but reliable and resilient.”

Bipartisan members of the House Energy and Commerce Committee last week reintroduced legislation to secure both pipelines and energy infrastructure against cyber threats, including the Pipeline and LNG Facility Cybersecurity Preparedness Act. 

The bill, sponsored by Reps. Fred Upton (R-Mich.) and Bobby Rush (D-Ill.), would strengthen the cyber and physical security operations of the Department of Energy for critical infrastructure. 

Additionally, FERC Chairman Richard Glick and Commissioner Allison Clements last week released a joint statement calling for the establishment of “mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector.”

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Glick and Clements said. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”