Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

DHS Orders Pipeline Operators to Report Cyberattacks, Review Security Posture

On the heels of the Colonial Pipeline attack, the US Department of Homeland Security aims to force a reticent industry to improve its ability to detect and respond to cybersecurity attacks.

The US government has issued a security directive that requires critical pipeline owners and operators to take significant steps to improve cybersecurity following the ransomware attacks on Colonial Pipeline earlier in the month.

Today's security directive, issued by the US Department of Homeland Security's (DHS) Transportation Security Administration (TSA), requires critical pipeline operators, such as Colonial Pipeline, to report all confirmed and potential cyberattacks, improve their incident response by assigning a cybersecurity coordinator, and create a cybersecurity plan based on the results of a comprehensive threat assessment conducted within the next 30 days. The US pipeline infrastructure consists of more than 2.7 million miles of infrastructure for transporting fuel, chemicals, and other materials for use in businesses and homes.

Related Content:

Software, Incident Response Among Big Focus Areas in Biden's Cybersecurity Executive Order

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The latest security directive will allow the DHS to better identify and respond to threats against the pipeline infrastructure, said Secretary of Homeland Security Alejandro N. Mayorkas in a statement announcing the directive. 

"The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats," he said. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security."

The directive comes less than three weeks after Colonial Pipeline shut down its network in response to a ransomware attack on its IT systems. The attack — carried out by DarkSide, a Russia-linked cybercriminal group — resulted in the pipeline stopping operations for almost two weeks, while consumers panicked at gas stations, causing fuel shortages and price spikes.

The new requirements follow the release of President Joe Biden's executive order on cybersecurity two weeks ago, which addressed information sharing on cyber incidents and the security of the software supply chain. The announced security directive indicates that the US government is taking a more forceful stance on critical infrastructure, but the effort is long overdue and only represents a first step, says Chris Hallenbeck, a former official at DHS and US-CERT who is now CISO for the Americas at endpoint security firm Tanium.

"We have to move away from what has been a completely voluntary system of cybersecurity for the pipeline sector," he says. "They have basically been able to say, 'We don't want you to come in and inspect us,' and the DHS did not have the resources to argue."

The security directive will augment the DHS's current Pipeline Cybersecurity Initiative, created in October 2018, which lists threat assessments as voluntary. The directive will require operators "to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks," states DHS's announcement of the directive.

Yet adoption of the cybersecurity recommendations have, to date, been lacking, said John Dickson, principal of the software-security consultancy Denim Group, in a recent interview with Dark Reading. In fact, outside of major oil and gas companies, such as Exxon Mobil and Shell, getting the industry to take cybersecurity seriously has been a slow march, he says.

"The downstream guys, as these pipeline companies are called, don't give a flying frog about cybersecurity," Dickson said. "How do we get these guys to do the right thing absent a breach? To them, risk in the physical realm is a pipeline explosion. They don't see cyberattacks as a risk — or they didn't."

Most cybersecurity executives see the security directive as a start to getting the pipeline sector to consider cybersecurity more carefully, not a definitive step to solving the problem of companies facing operational disruption due to cyberattacks. 

Knowing that data on attacks and details of incidents could be made public in the future may be enough to get the industry to commit to cybersecurity more fully, says Duncan Greatwood, CEO of zero-trust security firm Xage.

"The creation of a hack report is not itself a major change, since companies are already doing this internally," he says. "What will make a difference to companies is the knowledge that the attack information will be shared in future and even made public in many cases."

Colonial Pipeline paid about 75 Bitcoin, or $4.4 million, on May 8, the day after it discovered it had been struck by ransomware, according to reports. That's despite claiming on May 12 that it would not pay the ransom.

The US government, through the US Department of the Treasury's Office of Foreign Assets Control (OFAC), has begun to warn companies that paying ransoms to sanctioned groups could put them in legal jeopardy. Some cybersecurity experts recommend such moratoriums be expanded.

"We need to decide whether to make paying ransoms should be illegal," says Tanium's Hallenbeck. "By continuing to pay, we are guaranteeing that future attacks will be profitable for attackers."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-12-04
Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin <= 1.0.8 on WordPress.
PUBLISHED: 2022-12-04
Reflected Cross-Site Scripting (XSS) vulnerability in 2kb Amazon Affiliates Store plugin <=2.1.5 on WordPress.
PUBLISHED: 2022-12-04
A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers...
PUBLISHED: 2022-12-04
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Pr...
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. A default password is persisted after installation and may be discovered and used to escalate privileges.