The Department of Homeland Security (DHS) will issue a directive later this week requiring all pipeline companies to report cybersecurity incidents to federal authorities. The directive comes two weeks after Colonial Pipeline, which operates the biggest gasoline conduit to the East Coast, was forced to shut down its 5,500-mile pipeline after a devastating ransomware attack.
The Washington Post first reported that DHS's Transportation Security Administration (TSA) will be issuing the directive this week. A spokesperson for DHS told The Hill in an emailed statement Tuesday that “the Biden administration is taking further action to better secure our nation’s critical infrastructure,” with TSA and the federal Cybersecurity and Infrastructure Security Agency (CISA) working together on the issue. It will follow up in coming weeks with strict rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said.
"Unless the federal government is appointing a new regulatory lead or new enforcement mechanisms, this regulation already exists, specifically for oil or gas refineries as defined within Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act," says Monti Knode, Director of Customer & Partner Success at Horizon3.AI, a continuous automated security assessment and validation company. "Reporting is one aspect - and they may even be exempt from public disclosure - but what we need is clear guidance related to ransomware and extortion and how much decision space private industry retains when they are considered "covered critical infrastructure."
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, "It’s unfortunate that it took a ransomware attack of this scale to get updated regulations in place, but it does show how important it is to keep all security standards up to date with modern attack types."
TSA’s new security directive will require pipeline companies to report cyber incidents to TSA and CISA and to have a cyber official — such as a chief information security officer — with a 24/7 direct line to TSA and CISA to report an attack, the Post reports. It will also require companies to assess the security of their systems as measured against existing cyber guidelines; fixing any gaps is currently voluntary.
Tyler Shields, CMO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, says, "It is always significant when a government group or organization puts out new regulations or mandates. The efficacy of the regulation typically comes down to the impact of failure on the organization - e.g does the regulation have teeth. This particular regulation should have a positive impact on security at pipeline companies due to the downside of failure being both financially and brand significant. Government fines and other damages are a strong incentive for security improvement".
However, critics like Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, argue, that "the risk of regulatory action is always overreach, a disconnect between the regulatory requirements and the desired outcomes, the law of unintended consequences, and the introduction or perpetuation of a framework that long outlives its usefulness. In this particular case, however, it often feels like we’re talking about a wild west that lacks basic security maturity and has ignored at least a decade of credible alarm bells. In light of that, these risks are almost certainly acceptable relative to the greater risk of prolonging inaction against the threats critical infrastructure faces.
John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, also agrees. "As we have seen, pipelines are critical infrastructure that can lead to real problems if they are disrupted. Notification to the federal government of cyberattacks is less significant than whatever protective regulations they issue, but the facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached. A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing the future incidents."
Schless adds, "Implementing new regulations could be very effective in the battle against cybercriminals so long as organizations actually take action to align with them. It takes time and resources to align with new regulations, but this should at least serve as motivation for similar companies to get the ball rolling. In order to protect themselves, organizations in every industry need to implement a philosophy of Zero Trust across their entire infrastructure. This is the only way to ensure that only healthy devices and legitimate users are accessing your internal resources. Without it, you have no way of knowing whether a particular device, network, or employee account has been compromised."
iboss Vice President of Research and Intelligence, Jim Gogolinski, who helped discover the infamous Sandworm, predicts swift compliance based on the potential for fines as much as $1 million per day for businesses that don't comply. "The pending directive will likely be modeled after the existing NERC CIP standards that are designed to prevent and mitigate attacks against critical electrical infrastructure. Reporting is obviously a key part of that but so are security protocols, system management, and personnel training. The NERC CIP standards are followed closely because fines for not complying can reach as high as $1 million per day per violation. If the new pipeline directive includes similar fines, we would expect to see swift efforts by the industry to come into compliance."