The US government has issued a security directive that requires critical pipeline owners and operators to take significant steps to improve cybersecurity following the ransomware attacks on Colonial Pipeline earlier in the month.
Today's security directive, issued by the US Department of Homeland Security's (DHS) Transportation Security Administration (TSA), requires critical pipeline operators, such as Colonial Pipeline, to report all confirmed and potential cyberattacks, improve their incident response by assigning a cybersecurity coordinator, and create a cybersecurity plan based on the results of a comprehensive threat assessment conducted within the next 30 days. The US pipeline infrastructure consists of more than 2.7 million miles of infrastructure for transporting fuel, chemicals, and other materials for use in businesses and homes.
The latest security directive will allow the DHS to better identify and respond to threats against the pipeline infrastructure, said Secretary of Homeland Security Alejandro N. Mayorkas in a statement announcing the directive.
"The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats," he said. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security."
The directive comes less than three weeks after Colonial Pipeline shut down its network in response to a ransomware attack on its IT systems. The attack — carried out by DarkSide, a Russia-linked cybercriminal group — resulted in the pipeline stopping operations for almost two weeks, while consumers panicked at gas stations, causing fuel shortages and price spikes.
The new requirements follow the release of President Joe Biden's executive order on cybersecurity two weeks ago, which addressed information sharing on cyber incidents and the security of the software supply chain. The announced security directive indicates that the US government is taking a more forceful stance on critical infrastructure, but the effort is long overdue and only represents a first step, says Chris Hallenbeck, a former official at DHS and US-CERT who is now CISO for the Americas at endpoint security firm Tanium.
"We have to move away from what has been a completely voluntary system of cybersecurity for the pipeline sector," he says. "They have basically been able to say, 'We don't want you to come in and inspect us,' and the DHS did not have the resources to argue."
The security directive will augment the DHS's current Pipeline Cybersecurity Initiative, created in October 2018, which lists threat assessments as voluntary. The directive will require operators "to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks," states DHS's announcement of the directive.
Yet adoption of the cybersecurity recommendations have, to date, been lacking, said John Dickson, principal of the software-security consultancy Denim Group, in a recent interview with Dark Reading. In fact, outside of major oil and gas companies, such as Exxon Mobil and Shell, getting the industry to take cybersecurity seriously has been a slow march, he says.
"The downstream guys, as these pipeline companies are called, don't give a flying frog about cybersecurity," Dickson said. "How do we get these guys to do the right thing absent a breach? To them, risk in the physical realm is a pipeline explosion. They don't see cyberattacks as a risk — or they didn't."
Most cybersecurity executives see the security directive as a start to getting the pipeline sector to consider cybersecurity more carefully, not a definitive step to solving the problem of companies facing operational disruption due to cyberattacks.
Knowing that data on attacks and details of incidents could be made public in the future may be enough to get the industry to commit to cybersecurity more fully, says Duncan Greatwood, CEO of zero-trust security firm Xage.
"The creation of a hack report is not itself a major change, since companies are already doing this internally," he says. "What will make a difference to companies is the knowledge that the attack information will be shared in future and even made public in many cases."
Colonial Pipeline paid about 75 Bitcoin, or $4.4 million, on May 8, the day after it discovered it had been struck by ransomware, according to reports. That's despite claiming on May 12 that it would not pay the ransom.
The US government, through the US Department of the Treasury's Office of Foreign Assets Control (OFAC), has begun to warn companies that paying ransoms to sanctioned groups could put them in legal jeopardy. Some cybersecurity experts recommend such moratoriums be expanded.
"We need to decide whether to make paying ransoms should be illegal," says Tanium's Hallenbeck. "By continuing to pay, we are guaranteeing that future attacks will be profitable for attackers."