TSA Issues Cybersecurity Requirements for PipelinesAgency Cites 'Ongoing Cybersecurity Threat'
The U.S. Transportation Security Administration issued a directive Tuesday requiring owners and operators of TSA-designated critical pipelines to implement cybersecurity controls.
TSA, an agency of the Department of Homeland Security, cited "the ongoing cybersecurity threat" in its latest directive, which applies to companies transporting hazardous liquids and natural gas.
"This security directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review," the TSA notes in its announcement. It did not offer details on its recommended mitigation measures.
The new TSA requirements build off another DHS directive issued in May following the ransomware attack on Colonial Pipeline Co. That directive required pipelines to report confirmed and potential cybersecurity incidents to CISA; designate a cybersecurity coordinator to be available around the clock; review current practices; and identify gaps and remediation measures to address cyber-related risks (see: DHS Unveils New Cybersecurity Requirements for Pipelines).
The Colonial Pipeline Co. ransomware attack in May, which involved the DarkSide gang, led the company to shut down its pipeline serving much of the East Coast region.
The company paid a $4.4 million ransom to receive a decryptor, but federal investigators later recovered $2.3 million (see: How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?).
"The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats," says Secretary of Homeland Security Alejandro N. Mayorkas. "Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security."
Andrew Barratt, managing principal at cloud security firm Coalfire, which provides services to DHS and other federal agencies, says he hopes DHS will provide further guidance "that incorporates enforcement powers and a more technical regulation rather than high-level guidance."
The new TSA directive "is focused on that subset of controls for ransomware mitigation - think backups, offline domain controller and other critical network infrastructure held in reserve, and a good response plan for rapid quarantine and mitigation," says Mike Hamilton, former vice chair for the DHS State, Local, Tribal and Territorial Government Coordinating Council.
"Next - and there will be a next - more of a fully functioning security program will be required, likely in alignment with the NIST Cybersecurity Framework," says Hamilton, who is now CISO of security firm Critical Insight. "These few ransomware mitigation tactics don’t cover things like employee awareness training, managed remote access, third-party risk management, etc. All that is coming."
Earlier Chinese Campaign
A joint advisory from CISA and the FBI Tuesday outlines a comprehensive spear-phishing and intrusion campaign conducted by Chinese state-sponsored actors between 2011 and 2013 that targeted U.S. oil and natural gas pipeline companies.
The two agencies say 23 pipeline operators were targeted - 13 of which were confirmed to have been compromised."
The agencies say Chinese state-sponsored actors targeted pipeline infrastructure for the purpose of holding it "at risk" and bolstering the nation's cyberattack capabilities "to physically damage pipelines or disrupt operations."
CISA and the FBI say the Chinese threat actors targeted oil and natural gas pipeline companies with spear-phishing emails and social engineering attempts to gain valuable assets. They also compromised authorized remote access channels and collected and exfiltrated industrial control system information, but they "made no attempts to modify the pipeline operations of systems they accessed."
The agencies say that during the intrusions, "China was successful in accessing the supervisory control and data acquisition networks at several U.S. natural gas pipeline companies" and gained information on dial-up access because dial-up modems were then prevalent in the energy sector.