Pipeline companies stay silent on cybersecurity topic despite risks

Executives raised the topic of cybersecurity three times between 2015 and 2020, according to a review of conference call transcripts across 18 U.S. pipeline companies. One recent exception is Enterprise Products Partners LP, which dedicated a chunk of its March “ESG Day” to the issue.

The Colonial Pipeline has been shut down since Friday after an attack by the ransomware group DarkSide. U.S. government officials and consultancies have pointed at the incident as the clearest indication yet that the oil-and-gas industry is unprepared to combat these increasingly sophisticated threats.

Companies are likely resistant to sharing too much of their cybersecurity strategy out of fear that it would help hackers infiltrate their systems, though the lack of discussion also demonstrates how unsatisfying safeguarding those networks can be.

“That’s just a function of no one asking much about it,” said Hinds Howard, a longtime pipeline investor at CBRE Clarion Securities LLC. “Like, is the investor community going to get jazzed up about how much you spend on cybersecurity?”

Despite operating the biggest pipeline in the U.S., Colonial is a relatively obscure entity compared to publicly traded behemoths like Kinder Morgan Inc. and Energy Transfer LP. Colonial doesn’t have quarterly earnings calls with analysts and investors, and is therefore not included among the transcripts analyzed by Bloomberg. Colonial has said in statements that it’s working with relevant government officials and third-party experts to secure the pipeline and resume service.

“There will be some investors or management who will take this and the storm issues and talk about how important pipeline infrastructure is,” Howard said. “Others will be careful with talk like that because it invites potential for more regulation of the assets, which I don’t think midstream companies want.”