Committee OKs pipeline cyber bill but questions remain

By Jeremy Dillon | 05/19/2021 06:57 AM EDT

Colonial Pipeline Co. facilities in Maryland.

Colonial Pipeline Co. facilities in Maryland. Drew Angerer/Getty Images

The House Homeland Security Committee approved legislation yesterday to bolster the Transportation Security Administration pipeline cyberdefense program even as key lawmakers across Capitol Hill expressed an openness to reevaluating how the federal government approaches pipeline oversight.

The legislation, cleared by voice vote, comes as Congress continues to mull how best to respond to last week’s ransomware attack against the Colonial pipeline that prompted fuel shortages and panic purchasing across the Southeast.

"Just over 10 days ago, a ransomware attack against one of the nation’s largest pipeline companies has brought a new urgency to our work," Homeland Security Chairman Bennie Thompson (D-Miss.) said during the markup.


The bill, authored by Rep. Emanuel Cleaver (D-Mo.), would codify Homeland’s TSA and the Cybersecurity and Infrastructure Security Agency as the lead entities for pipeline cybersecurity oversight.

H.R. 3243 would also direct the agencies to update pipeline security guidelines within a year of enactment as well as establish better staffing guidelines.

Despite those ambitions, the House committee remains among the lone few doubling down on TSA’s role in pipeline cybersecurity.

The agency has come under scrutiny for how it implements its pipeline cybersecurity responsibilities. Federal Energy Regulatory Commission Chairman Richard Glick and Commissioner Neil Chatterjee authored an "opinion piece in 2018 calling for more oversight of crude oil pipeline cybersecurity

A Government Accountability Office report from that same year found TSA was not prepared for the cyber challenges presented for pipeline cybersecurity, nor did it have the necessary staffing and resources to meet the challenge.

Crude oil and gasoline pipelines — like Colonial — exist in their own regulatory space, with cybersecurity oversight by TSA, under the Department of Homeland Security.

Other crude oil pipeline safety regulations exist within the Department of Transportation through its Pipeline and Hazardous Materials Safety Administration.

Despite such complications, the Biden administration tapped the Department of Energy as the lead agency to respond to last week’s incident.

That convoluted division of oversight has frustrated lawmakers on Capitol Hill, who have begun to question why at least three agencies have a role in pipeline security.

"I want to know why it’s such an inefficient process when it comes to energy pipeline infrastructure. I don’t know what the answer is," Sen. Lisa Murkowski (R-Alaska) told E&E News yesterday. "It’s all kind of a grab bag of jurisdiction here. Until you have something like this happen, nobody really pays attention to who is in charge."

In the aftermath of the attack, calls have only grown larger for DOE to take on more pipeline oversight responsibilities.

House Energy and Commerce leaders have advocated for DOE to take over the cybersecurity role and touted a string of bills after the hack (E&E Daily, May 11).

Senate Commerce Chairwoman Maria Cantwell (D-Wash.) sees a consolidation of pipeline oversight as an eventual outcome of the Colonial shutdown (E&E Daily, May 12).

Senate Energy and Natural Resources Chairman Joe Manchin (D-W.Va.) added his name yesterday to that list pushing for consolidation while "looking at how they share information back and forth," he told E&E News. Manchin also expressed a desire for better pushback once a cyberattack does occur.

"We need to take aggressive action when these types of illicit criminals do what they did and attack our systems and interrupt our services to our citizens and our country," he said. "We aren’t going to let that go unanswered."

Senate Homeland Security Chairman Gary Peters (D-Mich.) said he plans to look into the issue of how best to arrange the nation’s cyberdefenses, especially as they relate to pipeline security.

"I want to let the facts drive that situation," Peters told reporters. "We need to get more information."

This year has been busy with cyber hearings and the pipeline company attack means many more are coming. The House Homeland Security Committee has another set for June.