Pipeline Cybersecurity – CRS Report

This week the Congressional Research Service published a report on pipeline cybersecurity. According to the introduction (pg 1):

“This report discusses cybersecurity risks to natural gas, oil, and refined products pipelines, including to control systems and information technology, as well as ransomware. It summarizes the history of major pipeline cybersecurity warnings and cyberattacks in the United States over the last 15 years. It examines the federal role in protecting U.S. pipelines from cyber threats, including the agencies involved and their pipeline cybersecurity activities. It discusses the federal response to the Colonial Pipeline cyberattack. The report concludes with an overview of selected issues for Congress, including legislative proposals to change federal pipeline security programs.”

Topics covered in the report include:

· Pipeline Cybersecurity Risks,

· The Federal Role in Pipeline Cybersecurity,

· Federal Agency Pipeline Security Activities,

· DHS and DOT Cooperation,

· GAO Pipeline Security Reports, and

· Issues for Congress

Since this is a report from the Congressional Research Service (presumably at the request of a member of Congress), the concluding section of the report is important. It outlines some questions about pipeline cybersecurity that Congress could address in the legislative process. Those questions include:

· Which agency (or agencies) should be responsible for collecting, analyzing, and/or disseminating threat information?

· Which agency (or agencies) should be responsible for developing mitigating strategies to cybersecurity threats?

· Does the intelligence community need to improve collection about adversary targeting of critical infrastructure?

· How will the government track the disposition of information shared and assess the efficacy of information-sharing programs?

· Is classified information a barrier to information sharing, or is pertinent information able to be disseminated in an unclassified manner?

· Has the cyber risk information-sharing model authorized in the Cybersecurity Act of 2015 (PL 114-113, Division N) been successful, or do barriers exist to effective information sharing among sector partners?