Pipeline operators who do not report cybersecurity attacks to the Department of Homeland Security could face fines of $ 7,000 a day or more according to regulations released Thursday in response to the ransomware attack that temporarily paralyzed the pipeline largest in the country.
According to senior department officials who asked not to be identified, the so-called safety directive issued by Homeland Security will follow in the near future an additional set of rules for pipe operators.
The new mandates, a change in a system of voluntary guidelines and long-standing voluntary reporting, respond to the ransomware attack on Colonial Pipeline Co.
In addition to requiring pipeline owners to report incidents, Thursday’s safety directive to companies operating about 100 critical pipelines would stipulate that a designated representative be available 24 hours a day as a point of contact, said one of the officials during a briefing with reporters.
The directive would also require operators to compare their practices with the Transportation Safety Administration’s guidelines and identify and report risks, the official said.
RELATED: After colonial piracy, the pipeline sector faces government control
This has worried pipeline operators that the new measures could be detrimental to the department’s voluntary system.
“Pipe operators want to avoid a‘ prepared, ignited, objective ’approach by the government in which we do not incorporate the lessons learned from Colonial or potentially make things worse by regulating the wrong things or doing it the wrong way,” he said John Stoody, a spokesman for the Association of Oil Pipe Lines, which has Colonial among its members, said before announcing the regulations.
Department officials said they still planned to work collaboratively with the plumbing industry, even as Homeland Security works to develop more structured oversight.
Unlike power plants, U.S. pipelines have not been required to comply with federal cybersecurity mandates, although Homeland Security was given the authority to enforce them through its Transportation Security Administration. when it was created in the wake of the September 11, 2001 terrorist attacks.
This has been an approach that the industry has championed, and for which it has also fought. An effort in 2012 to demand cyber regulations for pipelines and other significant infrastructure through legislation failed after intense pressure from oil companies and other corporate interests.
The new measures come after hackers who stole data and blocked equipment forced the Colonial pipeline system to shut down for about a week, 5,500 miles long (8,851 kilometers). The pipeline, which provides about 45 percent of the fuel used on the east coast, was reactivated after the company paid a $ 5 million ransom, but not before the shutdown caused a shortage at gas stations.
“Any potential legislation should improve reciprocal information exchange and liability protections, as well as build on our existing strong public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure. said Suzanne Lemieux, operations manager at the American Petroleum Institute safety and emergency response.
© 2021 Bloomberg LP