It was only a matter of time before the midstream industry fell prey to a cybersecurity attack like the one recently suffered by Colonial Pipeline Co., an attorney and subject matter expert at firm Jones Walker LLP said in a recent interview.

The 5,500 mile East Coast gasoline artery recently shut down its entire system to prevent ransomware, later identified by the FBI as DarkSide, from migrating from information technology systems to operational technology systems.

As cybersecurity and information technology professionals warn that attacks shutting down physical infrastructure are becoming more commonplace, Jones Walker's Andrew Lee said midstream companies are behind the curve. Lee, whose firm in 2020 produced a report that shed light on industry unpreparedness, in part focuses on data privacy and cybersecurity, along with recovery after cyber intrusions.

"We've been concerned about supply chain disruptions for a long time," he said in an interview. "You've got technology that in some cases is decades old. … [Y]ou have control systems that for the purposes of the operator are working fine, but they're too vulnerable in this current environment to be on those systems."

The domestic pipeline industry's last high-profile cybersecurity breach occurred in 2018 when Energy Transfer LP reported an outage in a third-party company's electronic transaction data for its major natural gas pipeline systems. Pipeline operations were unaffected.

Moody's, in a May 10 note to clients, also emphasized that the oil and gas sector's "cyber risk management and mitigation practices are not as advanced as the average corporate finance sector participant." According to a survey, the credit rating agency continued, "54% of oil and gas company respondents had completed a tabletop simulation exercise in the past 12 months, compared to 100% of the banks and 65% of the broader corporate finance universe."

A Jones Walker survey of 125 midstream executives conducted May 7-June 3, 2020, revealed that while many companies are implementing additional technologies to combat hackers, 40% "experienced a successful (12%) or attempted (28%) data breach during the 12-month period preceding the survey." However, "only 37% of companies report providing annual cybersecurity training, 18% provide training every other year, and 35% provide no cybersecurity training at all." Just 38% of respondents said their company's cybersecurity budget would increase in the coming year, and 34% said those budgets will decrease.

"It may be that this incident will be enough of a wake-up call," Lee said about the Colonial incident. "There is a hope that pipeline companies treat cybersecurity and information security safety the same way that they treat physical safety."

One impediment beyond the budgets themselves, however, is insufficient staffing at the U.S. Department of Homeland Security's Transportation Safety Administration, Lee said. A second is the lack of inertia from industry groups.

"There are industry groups that are certainly focused on it and giving tools to companies, but the compliance and participation is almost completely voluntary," Jones Walker's Lee explained. "You've got very few carrots and a lot of sticks to incentivize the industry to actively participate in upgrading their cybersecurity readiness."

According to the Interstate Natural Gas Association of America's website, its member companies do adhere to a cybersecurity framework established by the National Institute of Standards and Technology and have "plans in place to ensure systems can continue to operate in the event of an outage of a supervisory control and data acquisition (SCADA) system."

The American Petroleum Institute said recently that it was premature to craft regulations in direct response to the Colonial Pipeline hack until the details of the incident are known. Rather, the trade group said, it was more constructive to adopt more flexible policies down the line that allow companies to adapt to evolving threats.

The Federal Energy Regulatory Commission, meanwhile, has reiterated support for mandatory cybersecurity standards for pipeline operators even though TSA is the lead agency for pipeline safety.