WASHINGTON, D.C.— U.S. Senator Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation will convene a hearing titled “Pipeline Cybersecurity: Protecting Critical Infrastructure“ at 10:00 a.m. on Tuesday, July 27, 2021. The hearing will examine the current state of pipeline cybersecurity and the role that federal regulators play in protecting our nation’s critical infrastructure from malicious actors. This hearing will provide members an opportunity to examine recent actions taken in response to pipeline cyber incidents and gaps in our current oversight and regulatory structure.
- Hon. David Pekoske, Administrator, Transportation Security Administration
- Hon. Polly Trottenberg, Deputy Secretary, Department of Transportation
- Leslie Gordon, Acting Director, Homeland Security and Justice, Government Accountability Office
Tuesday, July 27, 2021
10:00 a.m. EDT
Russell Senate Office Building 253
Watch LIVE at www.commerce.senate.gov
Due to current limited access to the Capitol complex, the general public is encouraged to view this hearing via the live stream. Social distancing is now lifted for vaccinated members of the press who wish to attend.
Chair Maria Cantwell
Committee Hearing on “Pipeline Cybersecurity: Protecting Critical Infrastructure”
July 27, 2021
Earlier this year, a ransomware attack on Colonial Pipeline caused the company to shut down its pipeline system that supplies nearly 50 percent of all fuel for the East Coast.This resulted in gas shortages, causing prices to spike and panic buying from Georgia up to New York.Although service was restored within a week, this incident underscores the potential consequences any single cyber-attack can have on our daily lives and the need to better manage and bolster cybersecurity for our critical infrastructure.Our nation relies on more than 2.8 million miles of pipelines, 140 thousand miles of railroad track, 4 million miles of roads, 11 million trucks, 361 ports, and nearly 20,000 airports, and the infrastructure increasingly depends on information technology systems and electronic data that are very susceptible to cyber threats.
The Colonial Pipeline attack is frankly the tip of the iceberg. Our country is seeing 4,000 ransomware attacks every day. Since the start of the coronavirus pandemic, the FBI reports that cyber-attacks have increased by over 300 percent.
The rapid growth in the number and sophistication of cyber-attacks is the alarm bell ringing about the need to immediately bolster the cybersecurity of our critical infrastructure.
If we don’t, it is only matter time before we will see another crippling cyber incident that will have an even more catastrophic impact than we saw with Colonial Pipeline.
And pipelines are not the only infrastructure in this country that is vulnerable to this level of serious disruption. For years, experts have been worried about the vulnerability of our nation’s electric grid to disruption from nefarious actors, including from cyber-attacks. (Sen. Cantwell holds up GAO report from December, 2018.)
Imagine what might result if an attack like Colonial Pipeline happened to an electric company. It wouldn't just be some small drivers unable to fill up or forced to pay more at the pump. A grid disruption would have massive impacts to our economy. Lives would also be on the line.
It could take months for the U.S. to recover from a hostile attack that shuts down the electricity grid.
Electric companies are working overtime to protect their systems, but the federal government should be part of the solution. We need to bring about critical infrastructure investments in technology that can help the electricity grid and companies secure their networks from these kinds of intrusions.
For example, helping utilities install fiber optic technologies to run along their transmission lines, helping them to create closed communications networks using dedicated fiber links for grid monitoring and control that will insulate the electric grid from these cyber-attacks. This should be a major priority for this administration. These investments could also serve as the backbone for other important communication systems throughout our rural communities that aren’t currently being served.
It could also help ensure we can meet the challenges we face in some of our urban areas.
I appreciate the recent steps that the Department of Homeland Security has taken to bolster pipeline cybersecurity, including the recent release of a second Security Directive.
While these directives are a step in the right direction, many of them are needed to ensure the security of our nation’s pipelines.
And while TSA has taken steps to address some weaknesses in overseeing pipeline security, as I mentioned, the GAO report shows the use of incomplete information for security risk assessments and aged protocols for responding to security incidents, as well as many of the workforce issues that we have previously addressed in this committee.
At one point TSA only had 6 individuals working in the pipeline security group and that number has now grown to 34, but they are covering 2.7 million miles of pipeline. We need to increase our accountabilities regarding this issue.I look forward to hearing from our witnesses today about this very important issue and how we grow our security in such a critical area of our nation’s economy.
Ranking Member Roger Wicker
Thank you, Senator Cantwell. On May 7 of this year, malicious attackers attacked Colonial Pipeline’s network and infected its computer system. This was a major wake-up call for the United States, and for us as policy makers. Colonial was temporarily forced to shut down its pipeline, disrupting energy supplies running from Houston, Texas, to the doorstep of New York City. As a result, we witnessed fuel and gasoline shortages across the Southeast and the mid-Atlantic. The effect of this dramatic attack highlighted the very present risks from cybercrime to our national security.
Today’s hearing is an opportunity to discuss how to prepare our critical infrastructure systems against emerging cyber threats, and how we can apply lessons learned from the Colonial Pipeline incident.
Our nation has roughly three million miles of pipelines transporting essential energy products across the United States. Those energy products keep our businesses running, our lights on, and our homes warm in the winter. It is essential that this critical infrastructure be protected against cyberattacks like the one on Colonial Pipeline in May. Having fuel supplies cut off for extended periods of time is devastating to Americans and to our economy. Senator Cantwell has not overstated the problem or the risk.
I ‘m glad Administrator Pekoske is here today to help us understand the Transportation Security Administration’s (TSA) leading role in overseeing our pipeline cybersecurity. I appreciate TSA’s ongoing efforts to enhance federal pipeline cybersecurity programs to address growing cybersecurity risks.
This has long been a priority for me and this committee. Last Congress, I worked with Senator Cantwell on legislation to grow our cybersecurity workforce so that American companies and government agencies have the talent to protect their systems from criminals.
As the federal government considers ways to improve the cybersecurity framework of the pipeline sector, it will be increasingly important for the public and private sectors to coordinate their efforts more closely.
The vast majority of the nation’s critical infrastructure is owned and operated by the private sector. Utilizing the expertise of operators and the relevant safety regulators will lead to a more successful implementation of security directives from TSA. Because cybercrimes and the technologies used to conduct these attacks are continuing to evolve, we should avoid a one-size-fits-all approach and ensure that federal policy provides flexibility of response and adequately accounts for changing risks. We need to ensure pipelines continue to be a safe means of product transportation and can operate without disruption, which is a top priority for this committee.
Strong public-private partnerships are critical in protecting the nation against attacks from state actors, such as China and Russia. Coordination between government and industry is needed to improve information sharing about emerging cyber threats and best practices to address them. Industry should also build strong relationships with their regulators and law enforcement to increase that collaboration. No company should stand alone in the face of threats from countries that want to do us harm. Just the other day, the Biden Administration publicly condemned the People’s Republic of China for its cybersecurity campaigns. I appreciate that statement, but more action is needed to push back on threats from China and hold Beijing accountable for its malicious behavior.
I want to thank all of our witnesses for being here today, and I look forward to your testimony and our give-and-take during the question-and-answer. Thank you.
Witness Panel 1
Hon. Polly TrottenbergDeputy SecretaryDepartment of Transportation
Leslie GordonActing Director of Homeland Security and JusticeGovernment Accountability Office
Hon. David PekoskeAdministratorTransportation Security Administration