INDUSTRIAL CONTROL SYSTEM VULNERABILITIES ON DISPLAY

D.C. In its May 26 edition, the Washington Post reported the inevitable. As a consequence of the ransomware attack on Colonial Pipeline and its subsequent shutdown, the Biden Administration and the federal agencies responsible for protecting industry and government from such cyber intrusions are accelerating their plans for new regulations and directives governing the cybersecurity practices of the Nation’s oil and natural gas pipelines. It remains to be seen whether those efforts, which will unfold over many months, will yield benefits to the industry and the public commensurate with the costs. It is nevertheless clear that the government’s oversight and regulation of cyberspace are plagued by a misallocation of resources and lack of direction.

In anticipation of these developments and the ongoing questions about how well prepared major pipeline systems like Colonial are for today’s cyber threats, the International Pipeline Resilience Organization (IPRO) represents an opportunity for the pipeline industry to proactively ensure compliance with industry standards and best practices. Without a new regulatory model, government agencies will predictably opt for one-size-fits-all mandates that could be time-consuming to develop, difficult to administer, and potentially unenforceable. The Congressionally-mandated Cyberspace Solarium Commission reported last year that public-private partnerships and reform of government regulation in this area can help move pipelines from a totally voluntary compliance regime to one where the rules are better understood and workable controls are instituted for their industrial control systems.

“The Colonial event is a wake-up call and we fully expect industry risk managers and leaders at the Departments of Homeland Security, Energy, and Transportation will want to act. However, we seek innovative solutions beyond mere interagency cooperation. Government’s tendency to default to broad industry mandates for the pipeline industry will likely prove costly and ineffective,” stated Jim Hoecker, co-founder and administrator of IPRO and former federal energy regulator. “We want to be able to demonstrate to pipeline operators and cyber regulators the credibility and technical soundness of the IPRO model. It can be the responsible, fundamentally self-regulatory, and transparent solution we all look for.”

About IPRO: The International Pipeline Resilience Organization was founded in 2020 as a member-driven, non-profit corporation that works on behalf of two critical energy delivery industries -- oil and natural gas pipelines (including natural gas liquids and refined products pipelines) – to identify pragmatic controls that reduce or eliminate the risks of cyber or physical intrusions and the resulting disruption of services. IPRO focuses on enterprise-wide cyber challenges and solutions that will achieve durable security for the North American energy supply chain.