In the wake of the ransomware attack against Colonial Pipeline, the Department of Homeland Security (DHS) has revealed new requirements aimed at all pipeline owners and operators in the U.S. Announced by DHS’ Transportation Security Administration (TSA) on Thursday, the security directives are designed to better detect and combat cyber threats against companies in the pipeline industry.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
First, owners and operators of critical pipeline facilities will have to report both confirmed and potential cybersecurity incidents to DHS’ Cybersecurity and Infrastructure Security Agency (CISA). Further, pipeline operators must select someone to act as a cybersecurity coordinator, available 24 hours a day, 7 days a week.
Next, pipeline owners and operators will be required to review their current cybersecurity practices, identify gaps and detail measures required to mitigate any risks. They’ll also have to report these results to both the TSA and CISA within the next 30 days.
The TSA said it’s looking into additional requirements to help the pipeline industry improve its cybersecurity and enhance the public-private partnership that’s key to the country’s security.
Both the TSA and CISA have an active part to play in these new security requirements. Along with DHS, the TSA was established shortly after the 9/11 attacks in 2001. Since then, the agency has worked with pipeline operators and partners on the physical security of hazardous liquid and natural gas pipeline systems.
Responsible for defending the country’s critical infrastructure against security attacks, CISA hosts a Cyber Resource Hub with details on potential threats and recommendations for organizations on how to defend themselves against ransomware attacks. Last December, Congress passed the National Defense Authorization Act of 2021 that gave CISA more power to secure federal civilian government networks and critical infrastructure from physical and cyber threats.
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” Secretary of Homeland Security Alejandro Mayorkas said in a press release. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
Though the recent ransomware attack against Colonial Pipeline wasn’t the first to affect critical infrastructure, the incident raised alarm bells around the world, especially in the U.S. government. The apparent ease at which Colonial Pipeline was compromised showed how key resources are vulnerable. The energy sector in particular has long been susceptible to cyberattack.
“Cybersecurity risk management can be particularly challenging for energy companies,” said Anthony Pillitiere, co-founder and CTO at Horizon3.AI. “With a primary objective of reducing outages, they often have to adopt an ‘if it ain’t broke, don’t fix it’ mentality where software/hardware component patches are not installed to avoid the possibility of service disruptions. Any new regulation to secure critical infrastructure is going to require funding to have any hope of implementation by an industry already under stress.”
The cybercriminal groups that target critical infrastructure also have ample skills and resources to carry out their attacks.
“Attacks targeting critical national infrastructure (CNI) tend to be the work of advanced persistent threat (APT) groups working on behalf of nation states with specific goals,” said Joseph Carson, chief security scientist at ThycoticCentrify. “Such high-level adversaries are difficult to defend against as they have the time and resources required to repeatedly test security measures and find gaps, whereas more opportunist criminals in search of profits will opt for soft targets.”
The new cybersecurity requirements sound like steps in the right direction, but some analysts believe energy companies will have difficulty following them.
“This is a start, but there is a lot of ambiguity in what will constitute confirmed and potential cybersecurity incidents,” said John Hellickson, CXO adviser for cyber strategy at Coalfire. “Depending on the interpretation, would a phish attempt in itself be a potential incident?”
Further, the 30-day deadline imposed on identifying and remediating potential security gaps is too short, according to Hellickson. As such, organizations will likely have internal staffers conduct the reviews, which could leaded to missed data.
“Ideally, the organizations would be required to have a third party perform an assessment based on a defined cybersecurity standard, and results provided in say 90 days to give time to perform the assessment and integrate it into their overall cybersecurity strategy,” Hellickson. “Once a remediation strategy and roadmap is defined, check-ins by TSA/CISA demonstrating measurable improvements will be key.”