The federal government is moving from asking oil and gas pipeline owners to improve their cybersecurity to telling them to do so, an attorney whose practice includes cybersecurity says.
A cyberattack, beyond costing the victim money, can lead to damage to critical infrastructure and even death, though an industry survey from last year indicates many pipeline owners may be overconfident in their cybersecurity.
“Industry doesn’t like it,” says Andy Lee, a privacy and data security attorney with Jones Walker, of the federal government’s more assertive approach to cybersecurity regulation. “They would like the carrot approach, not the stick approach.”
For example, recent directives from the U.S. Department of Homeland Security have required, rather than encouraged, reporting cybersecurity incidents, he says. There is also pending bipartisan legislation that would enable industry to be at the table in deciding a new set of rules.
A 2020 Jones Walker survey found that much of the industry is overconfident of how well protected they are from a breach. Survey results include the following:
• While 40% reported an attempted or successful data breach in the past year, only 7% updated their written security policy during the same period.
• Companies indicated an increased focus on cybersecurity, yet only 38% of respondents planned to increase their cybersecurity budgets.
• Despite increased vulnerability to cyberattacks during the COVID-19 pandemic, when more employees work remotely and often use a mix of personal and company-issued technology, 74% of companies did not have cyber insurance or cyber-breach insurance coverage.
• More than 50% had not reviewed their incidence plans in more than a year, Lee says.
While Jones Walker has not conducted a follow-up survey, the Colonial Pipeline hack earlier this year has been a wake-up call for some companies and lawmakers. The Colonial shutdown was deemed a national security threat in part because the pipeline moves oil from refineries to industry markets. Lee says criminals seeking ransom are the biggest threat. But the risk of terrorism cannot be overlooked, he says.