The hack of the Colonial Pipeline — which kneecapped oil availability on the East Coast for almost two weeks — was as disastrous as it was likely preventable. A branch of the Department of Homeland Security, however, is hoping to correct course by changing the rules on cybersecurity and disclosure for Colonial and other companies in the pipeline industry.
As reported by The Washington Post, the Transportation Security Administration (yes, the same sub-branch of DHS everyone associates with taking their shoes off in airports) will be requiring pipeline companies to report breaches and other cybersecurity incidents, with additional rules on how to keep these critical infrastructure systems secure from digital threats arriving “in coming weeks.” Any sort of abnormality which could, say, cause a company to part with $4.4 million in ransom money, would need to be reported to both the TSA and the Cybersecurity and Infrastructure Security Agency (CISA).
Incidentally, guidelines already exist to keep these sorts of systems secure — following them was merely voluntary. Companies were also free to decline inspections of their systems by the TSA. (We’ve reached out to Colonial to see if it chose to duck any such inspection.)
According to an anonymous source within the agency who spoke to The Washington Post, failing to meet the forthcoming requirements is likely to result in financial penalties, though how much is unclear. They would have to be fairly substantial in order to change the essential calculus. As Wharton researchers point out, the average cost of a breach in 2017 was just north of $7 million — not a massive expenditure compared to say, the price tag for implementing top-notch cybersecurity across a swath of legacy systems; they also found that “in the short run, the market jumps in fright after disclosure of a breach, but in a longer period of time (even just a month), there is hardly a difference between a breached and an un-breached company.” In short: a successful breach does very little to a company’s bottom line, either through immediate costs or longer-term stock valuation changes.
In short: a successful breach does very little to a company’s bottom line
Essentially, TSA’s new rules will need to have substantial power to inflict financial hardship, or companies probably will not have much incentive to change their lax habits.
That these decisions are driven entirely by profits is nowhere better exemplified than by the Colonial hack itself, which did nothing at all to harm the actual systems responsible for delivering fuel: what was compromised, according to CNN, was Colonial’s billing system, and the protracted shutdown was due largely to the company being unable to determine how much customers would have owed.
Even assuming pipeline companies are broadly cooperative, the TSA is setting itself up for a Sisyphean task of overseeing over 2 million miles of pipeline with a staff — as of 2019 — of just five auditors.