U.S. Energy Sector: Cybersecurity Legislation Looms
Support for legislation that would set mandatory standards to secure pipelines has picked up an important advocate in Energy Secretary Jennifer Granholm, who backed the idea in remarks before a House Committee on Energy and Commerce Subcommittee hearing.
It’s too early to fully predict how regulations may impact the service provider community. But in theory, the regulations could require MSSPs to adjust their cybersecurity packaging and service level agreements in the energy sector.
MSSPs are already bracing for potential regulatory changes in the federal government market. The reason: President Biden’s cybersecurity executive order, issued in early May 2021, mentioned IT service providers more than a dozen times.
Meanwhile, Granholm called the nation’s cybersecurity safeguards “inadequate” and said she would support imposing mandatory minimum standards similar to those in place in the oil and gas sector. Her testimony came in the wake of the crippling ransomware attack on Colonial Pipeline earlier this month. Colonial Pipeline chief executive Joseph Blount told the Wall Street Journal earlier this week that the company had paid some $4.4 million to the hackers, allegedly Russia-based, to unlock encrypted files that would get the pipeline operational again.
Cybersecurity specialists and law enforcement agencies have long advised companies hijacked by cyber kidnappers not to pay the ransom. Nonetheless, acquiescing to the extortionists was the “right thing to do for the country,” Blount said. “I didn’t make [the decision] lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
While Granholm called the Colonial incident an example of the absence of uniform cybersecurity standards she acknowledged that such regulatory control may not have stopped the pipeline hack. “If we had had standards in place, would this particular ransomware attack have been able to happen? You know, I’m not 100 percent sure,” she said. “I do know that having good cyber hygiene on the private side as well as on the public side is a critical basic defense, and for entities that provide services to the public like that, especially critical services like energy, I think it’s an important consideration for this committee for sure,” she said. (via The Hill)
Granholm isn’t the only one making the case for cybersecurity requirements for the nation’s pipeline network. House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-NJ) told the subcommittee that the U.S. has to “ensure our nation’s energy infrastructure is not just secure, but reliable and resilient.”
In addition, Federal Energy Regulatory Commission (FERC) Chairman Richard Glick and Commissioner Allkison Clements last week issued a statement in support of “enforced mandatory cybersecurity standards for the bulk electrical system. “It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” the officials said. “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”