Cybersecurity Regs for Pipelines Reportedly Coming SoonFresh Regulations Planned Following Colonial Pipeline Ransomware Attack
The U.S. Department of Homeland Security is preparing cybersecurity regulations for the oil and gas industry in the wake of the ransomware attack on Colonial Pipeline Co. that resulted in the company suspending operations for several days, according to The Washington Post.
Under the new regulations, the Transportation Security Administration, which is part of DHS, will require oil and gas companies to report security incidents to the federal government, a DHS official told the newspaper.
The pending regulations also will require companies to have an executive who is responsible for cybersecurity and has a direct line to the TSA and the Cybersecurity and Infrastructure Security Agency to report an incident, the Post reports. Gas and oil firms will also be required to conduct security assessments.
The first of these new regulations is expected to be issued later this week, according to the newspaper. These will be followed in the coming weeks by other new mandatory cybersecurity requirements for oil and gas companies.
A Department of Homeland Security spokesperson, who did not directly address the specifics in The Washington Post report, tells Information Security Media Group: "The Biden administration is taking further action to better secure our nation's critical infrastructure. TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyberthreats and secure their systems. We will release additional details in the days ahead."
Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office, says the pending security incident reporting requirements are a good first step toward protecting critical infrastructure, but more needs to be done to ensure that federal agencies can investigate and stop ransomware attacks.
"What steps are being taken to ensure that the appropriate federal agencies are provided the resources to oversee and enforce these new policies and regulations?" asks Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant. "Mandating compliance to a certain set of standards is needed, but the more regulation placed on critical infrastructure entities, the more capability and resources are needed by the regulators."
Colonial Pipeline Attack
The ransomware attack against Colonial Pipeline led the company to temporarily suspend most operations along its 5,500-mile-long pipeline serving the East Coast. The incident resulted in fuel shortages in several states and prompted a fresh round of concern over the security of the nation's critical infrastructure (see: Colonial Pipeline Attack Leads to Calls for Cyber Regs).
Colonia Pipeline CEO Joseph Blount revealed on May 19 that the company had paid the attackers a $4.4 million ransom to obtain a decryption key, but it proved to be faulty. Blount is slated to testify at a June 9 congressional hearing on the ransomware incident (see: Colonial Pipeline CEO to Testify at Congressional Hearing).
Federal officials say DarkSide ransomware was used in the attack on Colonial Pipeline. The DarkSide gang announced May 13 that it was shutting down its ransomware-as-a-service operation.
"The power generation sectors like this frequently lag behind in security posture with aging infrastructure and legacy systems that have been in place for decades," says Joseph Neumann, a cyber executive adviser at consulting firm Coalfire. "These organizations over the years have slowly blended their corporate and operational technology networks, creating a nasty opportunity for bad things to occur, as we have seen in the Colonial Pipeline incident."
TSA and Cybersecurity
Created in the wake of the Sept. 11, 2001, terrorist attacks, the TSA has been responsible for the physical security of the nation's interstate pipelines as a protection against a terrorist attack. The agency started issuing voluntary cybersecurity guidelines in 2010.
In 2018, the Government Accountability Office released a report that criticized the TSA's pipeline security oversight and noted that an attack on a pipeline can have far-reaching consequences.
"Given that many pipelines transport volatile, flammable, or toxic oil and liquids, and given the potential consequences of a successful physical or cyberattack on life, property, the economy and the environment, pipeline systems are attractive targets for terrorists, hackers, foreign nations, criminal groups and others with malicious intent," the GAO report noted.
The ransomware attack against Colonial Pipeline has now drawn additional scrutiny over TSA and its attention to cybersecurity details. Richard Glick, the chairman of the Federal Energy Regulatory Commission, which oversees natural gas and gas pipeline transmissions in the U.S., called for mandatory and uniform cybersecurity standards for the gas and oil industry.
"The TSA has never taken an active role in recommending, promoting or insistence on cybersecurity controls over pipeline operations but as the sector-specific agency for the transportation sector, the agency will now fill that responsibility," says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
Hamilton believes that a new directive that will require a cybersecurity point of contact at oil and gas companies to report incidents to TSA and CISA is a step in the right direction. He also notes that TSA and other agencies will likely start working with the National Institute of Standards and Technology to create a security framework for the industry.
"What's also likely in the longer term is because of the adjacency to the energy sector, NIST may collaborate with another agency, such as the North American Electric Reliability Corp. and the Federal Energy Regulatory Commission, to create pipeline-specific operational security requirements that leverage work done at Idaho National Lab," says Hamilton, who now serves as CISO of CI Security. "From there, they can focus on consistent application of policy - for example, vulnerability management … as well as create stringent controls for remote access and network segmentation, etc. - all of which can be audited and include penalties for noncompliance."
Focus on Critical Infrastructure
In April, the Biden administration began rolling out the first of what it calls 100-day plans to address cybersecurity shortfalls in the nation's critical infrastructure. The first plan focused on the electrical grid, and other plans will focus on other sectors, including oil and gas, the administration says (see: 100-Day Plan to Enhance Electrical Grid Security Unveiled).
Several bills have been introduced in Congress to address a range of security issues in the nation's critical infrastructure (see: 2 Bills Introduced in Wake of Colonial Pipeline Attack).
Tim Wade, a former U.S. Air Force officer who is now technical director for the CTO Team at security firm Vectra AI, says that while federal regulations sometimes lead to governmental overreach or bureaucratic problems, improvements in cybersecurity, especially in industries such as oil and gas, are needed.
"In this particular case, however, it often feels like we're talking about a Wild West that lacks basic security maturity and has ignored at least a decade of credible alarm bells," Wade says.