Responding to the Colonial Cyber Attack – and Industry’s Continuing Focus on Security

Mark Green
Posted May 11, 2021

The cyber attack on the 5,500-mile Colonial Pipeline that daily carries millions of gallons of fuel products from the Gulf Coast to New York and points in between, underscores some critically important points about the natural gas and oil industry:

• Resilience and agility in working to alleviate supply disruptions
• The vital importance of investing in pipeline infrastructure for the economy and modern daily life
• The ongoing commitment by industry to protect itself and key assets from cyber criminals

Industry has worked and will continue to work with the Biden administration on actions to mitigate supply disruptions caused by the cyber attack. These include an hours-of-service exemption for those transporting gasoline, diesel, jet fuel and other refined products to 18 states, as well as a fuel waiver for states where reformulated gasoline (RFG) is required by EPA, allowing them to use conventional gasoline amid the disruption – helping fuel suppliers manage inventories until Colonial returns to normal operations. API’s Patrick Kelly:

“We think that the RFG waiver the EPA issued was a very positive step to helping to address this situation, by allowing fuel to be interchangeably moved across these conventional areas and reformulated gasoline areas.”

Kelly said industry’s ongoing focus is to identify potential barriers to the transportation of fuel supplies from states that have them to states and areas that don’t:

“We'll continue working with both state and federal regulators to track the situation and determine whether there are additional waivers that may be needed to help ensure that the market is well supplied.”

Robin Rorick, API vice president of Midstream & Industry Operations, said industry is using alternative transportation modes to work around the pipeline outage, so that consumers have the fuels they use every day. Rorick said the incident emphasizes the value of a strong infrastructure network to ensure Americans’ access to energy:

“I think one thing that this incident does underscore is the vital importance of maintaining our existing pipeline infrastructure and developing new pipeline infrastructure to continue to supply the energy and develop the redundancy that exists in this country.”

On cyber security, industry has a long-standing commitment (see here, here and here) to protect assets in close cooperation with government partners. These attacks aren’t new, and the industry isn’t alone in dealing with the threats. All kinds of companies and institutions are at risk, and information-sharing on specific threats, new technologies and other measures is key to managing that risk. Suzanne Lemieux, API manager for Operations Security & Emergency Response Policy:

“Our members are aware and very conscious of the escalating cyber threats facing the natural gas and oil industry, and we at API continue to work closely with our members, other trade associations and government partners – including the Transportation Security Administration (TSA), the Cybersecurity & Infrastructure Security Agency and the Department of Energy to share threat intelligence as it becomes available. We are supportive of this two-way information flow when it comes to cyber threats, which are an economy-wide problem that has left virtually no industry untouched in recent months. … Pipeline companies are continuously investing in their cyber infrastructure to respond to threats and the evolving sophistication of their attackers.”

Lemieux said it’s critically important to collect and understand the facts on the Colonial attack and avoid policy proposals that may be premature. An example of what industry already is doing is an update to API Standard 1164, on supervisory control and data acquisition cyber security, which should be seen before considering regulatory actions. She noted that industry was the driving force behind updating TSA guidelines to include cyber security:

“Industry has demonstrated a very solid commitment to cyber security and pipeline security in particular. I think the active and voluntary nature of what industry has been doing over the last few years demonstrates our commitment to robust cyber security practices.”

Crafting cyber security legislation or regulation is difficult because threats are constantly changing. It can take years to develop measures that are easily outpaced by cyber-attack technology. Lemieux:

“We think it's more constructive to be more flexible, to allow companies to adapt to the changing threat environment and to change their technology with threats so that you have an evolution. We're not anti-regulation, but it needs to be smart, flexible and adaptive – and those words don't tend to be what regulation is.”

As Lemieux noted in this post, we need government policies that allow companies to innovate and refine processes that protect against threats. This is integral to the commitment of API member companies to protect the nation’s natural gas and oil infrastructure, safeguard intellectual property and ensure Americans’ access to affordable reliable energy.