The security of so-called critical infrastructure facilities like oil and gas pipelines is so important, according to the fossil fuel industry and its political allies, that states are justified in passing laws that establish lengthy prison sentences for protesters and other people who enter such facilities without permission.
With the backing of the American Petroleum Institute (API), more than a dozen states in the past few years have passed these critical infrastructure security measures, which critics call anti-protest laws.
In February, API lobbyist Ken Eckles testified in support of a critical infrastructure protection bill in the Kansas Senate, saying that “Recent third-party actions aimed at disrupting operations at oil and natural gas sites and facilities has raised significant concern among our members.”
But when it comes to its member companies being required by law to take certain steps to secure their pipelines, including cybersecurity measures to prevent hacking, API has a far more lenient attitude.
“The natural gas and oil industry’s reliance on proven risk management-based frameworks and public-private collaboration, rather than prescriptive regulation, is the most effective and robust method of bolstering the cybersecurity of our industry companies and the critical infrastructure they operate,” API wrote on its website in 2018, following a GAO report warning that the U.S. does not have enforceable pipeline security regulations.
Unlike the bulk power system in the U.S. and the oil and gas pipeline system in Canada, companies operating oil and gas pipelines in the U.S. do not have mandatory security and cybersecurity regulations. The Transportation Security Administration (TSA), which oversees the pipelines, has only issued voluntary standards, which pipeline companies can choose not to follow without fear of any federal penalties.
Though the Department of Transportation’s (DOT) inspector general warned in a 2008 report that TSA’s guidance is “not mandatory and remains unenforceable” and members of Congress have been trying to pass mandatory regulations since at least 2012, API and its allies have resisted.
In 2005, API and other industry trade groups told members of the Senate Commerce Committee in a letter that security regulations would be “redundant” with their voluntary efforts and “may not be necessary to increase pipeline security.”
An administrator at the Pipeline and Hazardous Materials Safety Administration who was later hired by Alyeska Pipeline Service Company as president testified to Congress in 2007 that enhancing security “does not necessarily mean that we must impose regulatory requirements.”
Since 2011, API has reported lobbying Congress, TSA, and other government agencies on cybersecurity issues in 23 quarters, spending nearly $45 million on lobbying across those quarters, according to disclosures the group filed with Congress.
Colonial Pipeline, which appears to have shut down its East Coast gas pipeline after its billing system was hit by ransomware, is a member of API. The company is owned in part by Koch Industries.
While President Biden said last week in a press briefing on the Colonial Pipeline incident that he “cannot dictate that the private companies do certain things relative to cybersecurity,” Department of Energy Secretary Jennifer Granholm sounded more open to the idea of regulations yesterday at a congressional hearing.
Asked by Energy and Commerce Committee Chairman Rep. Frank Pallone Jr. (D-N.J.) if pipelines should face mandatory security standards, Granholm said, “If we had had standards in place, would this particular ransomware attack have been able to happen? You know, I’m not 100 percent sure.”