After the dust has settled, Congress is likely to call hearings to question Colonial Pipeline executives and cybersecurity experts to help figure out what went wrong and how events like this can be prevented in the future. An outside audit of Colonial's information management practices three years ago found glaring problems.
The chairman of the Federal Energy Regulatory Commission, Richard Glick, said the government should create and enforce mandatory pipeline-security standards similar to those that have been required of the electricity sector for more than a decade.
And members of the House Energy Committee re-introduced bills this week aiming to strengthen the Department of Energy's ability to respond to cybersecurity threats and to encourage more coordination between the federal government and utilities.
Some might want regulators to ease permitting procedures so that more pipelines can be built, to boost reliability of supply. But there may be reluctance to facilitate building alternate pipeline routes, since President Joe Biden has made it clear that he wants to transition away from fossil fuels as quickly as possible, in favor of clean energy such as wind and solar.
“There’s going to be that tradeoff between making the permitting process easier, on the one hand, in order to get these pipelines built and then, on the other hand, should we be building these pipelines at all if we want to move away from fossil fuels?” Jha said.
When proposals are made on the state or federal level to combat cybersecurity threats, it's important to remember that one size does not fit all, said Drue Pearce, director of government affairs at Holland & Hart, and former deputy administrator of the Pipeline Hazardous Materials Safety Administration at the Department of Transportation. What fits the bigger players doesn't necessarily work for smaller ones, so it's difficult to write policies that work for everyone, she said.
Pipelines and other companies that transport hazardous materials "get an incredible number of hacking attempts on a daily basis, already," Pearce said. ”You don’t know which ones are ransomware, you don’t know which one is a 13-year-old sitting at home wondering if he can break into this thing."