Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

DHS Orders Pipeline Operators to Report Cyberattacks, Review Security Posture

On the heels of the Colonial Pipeline attack, the US Department of Homeland Security aims to force a reticent industry to improve its ability to detect and respond to cybersecurity attacks.

The US government has issued a security directive that requires critical pipeline owners and operators to take significant steps to improve cybersecurity following the ransomware attacks on Colonial Pipeline earlier in the month.

Today's security directive, issued by the US Department of Homeland Security's (DHS) Transportation Security Administration (TSA), requires critical pipeline operators, such as Colonial Pipeline, to report all confirmed and potential cyberattacks, improve their incident response by assigning a cybersecurity coordinator, and create a cybersecurity plan based on the results of a comprehensive threat assessment conducted within the next 30 days. The US pipeline infrastructure consists of more than 2.7 million miles of infrastructure for transporting fuel, chemicals, and other materials for use in businesses and homes.

Related Content:

Software, Incident Response Among Big Focus Areas in Biden's Cybersecurity Executive Order

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The latest security directive will allow the DHS to better identify and respond to threats against the pipeline infrastructure, said Secretary of Homeland Security Alejandro N. Mayorkas in a statement announcing the directive. 

"The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats," he said. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security."

The directive comes less than three weeks after Colonial Pipeline shut down its network in response to a ransomware attack on its IT systems. The attack — carried out by DarkSide, a Russia-linked cybercriminal group — resulted in the pipeline stopping operations for almost two weeks, while consumers panicked at gas stations, causing fuel shortages and price spikes.

The new requirements follow the release of President Joe Biden's executive order on cybersecurity two weeks ago, which addressed information sharing on cyber incidents and the security of the software supply chain. The announced security directive indicates that the US government is taking a more forceful stance on critical infrastructure, but the effort is long overdue and only represents a first step, says Chris Hallenbeck, a former official at DHS and US-CERT who is now CISO for the Americas at endpoint security firm Tanium.

"We have to move away from what has been a completely voluntary system of cybersecurity for the pipeline sector," he says. "They have basically been able to say, 'We don't want you to come in and inspect us,' and the DHS did not have the resources to argue."

The security directive will augment the DHS's current Pipeline Cybersecurity Initiative, created in October 2018, which lists threat assessments as voluntary. The directive will require operators "to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks," states DHS's announcement of the directive.

Yet adoption of the cybersecurity recommendations have, to date, been lacking, said John Dickson, principal of the software-security consultancy Denim Group, in a recent interview with Dark Reading. In fact, outside of major oil and gas companies, such as Exxon Mobil and Shell, getting the industry to take cybersecurity seriously has been a slow march, he says.

"The downstream guys, as these pipeline companies are called, don't give a flying frog about cybersecurity," Dickson said. "How do we get these guys to do the right thing absent a breach? To them, risk in the physical realm is a pipeline explosion. They don't see cyberattacks as a risk — or they didn't."

Most cybersecurity executives see the security directive as a start to getting the pipeline sector to consider cybersecurity more carefully, not a definitive step to solving the problem of companies facing operational disruption due to cyberattacks. 

Knowing that data on attacks and details of incidents could be made public in the future may be enough to get the industry to commit to cybersecurity more fully, says Duncan Greatwood, CEO of zero-trust security firm Xage.

"The creation of a hack report is not itself a major change, since companies are already doing this internally," he says. "What will make a difference to companies is the knowledge that the attack information will be shared in future and even made public in many cases."

Colonial Pipeline paid about 75 Bitcoin, or $4.4 million, on May 8, the day after it discovered it had been struck by ransomware, according to reports. That's despite claiming on May 12 that it would not pay the ransom.

The US government, through the US Department of the Treasury's Office of Foreign Assets Control (OFAC), has begun to warn companies that paying ransoms to sanctioned groups could put them in legal jeopardy. Some cybersecurity experts recommend such moratoriums be expanded.

"We need to decide whether to make paying ransoms should be illegal," says Tanium's Hallenbeck. "By continuing to pay, we are guaranteeing that future attacks will be profitable for attackers."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file