DHS Unveils New Cybersecurity Requirements for PipelinesSecurity Directive Issued Following Colonial Pipeline Ransomware Attack
The Department of Homeland Security has issued a cybersecurity directive that requires the operators of oil and gas pipelines to report ransomware attacks and other security incidents to the government.
The new cybersecurity mandates, which will replace some voluntary guidelines that had been in place for a decade, were announced Thursday in the wake of a May 7 ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline serving the East Coast, triggering fuel shortages in several states.
The security directive, which will be enforced by the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency, requires companies that own or operate oil and gas pipelines to report any security incidents, as well as potential threats, to DHS. It also requires the firms to have a dedicated "cybersecurity coordinator" available around the clock.
The directive also requires pipeline owners and operators to review their cybersecurity practices, identify any gaps and required risk remediation measures, and report the results to TSA and CISA within 30 days.
TSA says it's considering releasing several other directives for oil and gas pipeline operators.
"The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security," says Homeland Security Secretary Alejandro Mayorkas. "DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure."
The security directive comes as the pipeline industry is facing increasing scrutiny (see: Cybersecurity Regs for Pipelines Reportedly Coming Soon).
The directive does away with many of the voluntary cybersecurity reporting guidelines TSA put in place in 2010. This week, The Wall Street Journal reported that Colonial Pipeline did not undergo a review of its security practices in 2020 as requested by TSA.
Since 2018, the U.S. Government Accountability Office has accused TSA of lax oversight of the nation's interstate pipeline systems. TSA took on responsibility for the physical security of pipelines following the terrorist attacks on Sept. 11, 2001.
Lack of Preparation
Bernie Cowens, the former CISO of Pacific Gas & Electric, said in a recent interview that the U.S. was not well-prepared to handle the type of attack that disrupted Colonial Pipeline (see: Colonial Pipeline Attack: 'We're Simply Unprepared').
The Colonial Pipeline attack "simply underscores the fact that in many areas we're simply underprepared," Cowens said. "We don't seem to be aware of the situation - at least not at the level that we need to be - and we don't seem to be taking the actions that we need … especially in critical infrastructure."
Joseph Neumann, a cyber executive adviser at the consulting firm Coalfire, suggests that DHS and TSA should further expand security requirements for pipeline operators. For example, he says the companies should provide metrics to help determine the risks they're facing. He would also like to see Congress make the DHS security directive's requirements permanent by codifying them into law.
DHS's new requirements are being implemented as a result of an executive order, so they're not truly permanent and have "little to no teeth" for enforcement, he says. "This is nowhere near enough and is completely reactionary to make it look like the administration is actually trying to solve the problem," he adds.
Neumann recommends that DHS and the Biden administration issue additional directives that would put new cybersecurity rules in place for operational technology and industrial control systems, requiring system developers to bake security into the designs.
"ICS systems are not built with security in mind and have never been," Neumann says. "OT systems need to be treated the same way as IT and maintained as such. Vendors providing these technologies need to be held to the same standards and not ride the assumptions of network segmentation."
Colonial Pipeline Investigation
In the meantime, the investigation into the Colonial Pipeline attack continues, and Congress will hold a hearing about the incident on June 9 (see: Colonial Pipeline CEO to Testify at Congressional Hearing).
Lawmakers are expected to ask Colonial Pipeline CEO Joseph Blount about why the firm paid a $4.4 million ransom to the DarkSide criminal gang to obtain a decryptor, which ultimately proved to be faulty.
The DarkSide gang announced May 13 that it was shutting down its ransomware-as-a-service operation.
Several bills have recently been introduced in Congress to address a range of security issues in the nation's critical infrastructure (see: 2 Bills Introduced in Wake of Colonial Pipeline Attack).
Bryan Orme, principal and partner at cybersecurity firm GuidePoint Security, says that while incident reporting rules and mandatory guidelines will not necessarily lead to better security, the emphasis on cybersecurity should at least bring more attention to the issue.
"Although compliance with a regulation does not necessarily achieve a strong security posture, it at least raises the bar to a minimum acceptable threshold for security," Orme says. "Stronger regulatory requirements and enforcement for these organizations that provide critical services to U.S. citizens should ensure that these entities achieve and maintain an acceptable level of cybersecurity controls."