Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

End of Bibblio RCM includes -->

DHS Orders Pipeline Operators to Report Cyberattacks, Review Security Posture

On the heels of the Colonial Pipeline attack, the US Department of Homeland Security aims to force a reticent industry to improve its ability to detect and respond to cybersecurity attacks.

The US government has issued a security directive that requires critical pipeline owners and operators to take significant steps to improve cybersecurity following the ransomware attacks on Colonial Pipeline earlier in the month.

Today's security directive, issued by the US Department of Homeland Security's (DHS) Transportation Security Administration (TSA), requires critical pipeline operators, such as Colonial Pipeline, to report all confirmed and potential cyberattacks, improve their incident response by assigning a cybersecurity coordinator, and create a cybersecurity plan based on the results of a comprehensive threat assessment conducted within the next 30 days. The US pipeline infrastructure consists of more than 2.7 million miles of infrastructure for transporting fuel, chemicals, and other materials for use in businesses and homes.

Related Content:

Software, Incident Response Among Big Focus Areas in Biden's Cybersecurity Executive Order

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

The latest security directive will allow the DHS to better identify and respond to threats against the pipeline infrastructure, said Secretary of Homeland Security Alejandro N. Mayorkas in a statement announcing the directive. 

"The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats," he said. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security."

The directive comes less than three weeks after Colonial Pipeline shut down its network in response to a ransomware attack on its IT systems. The attack — carried out by DarkSide, a Russia-linked cybercriminal group — resulted in the pipeline stopping operations for almost two weeks, while consumers panicked at gas stations, causing fuel shortages and price spikes.

The new requirements follow the release of President Joe Biden's executive order on cybersecurity two weeks ago, which addressed information sharing on cyber incidents and the security of the software supply chain. The announced security directive indicates that the US government is taking a more forceful stance on critical infrastructure, but the effort is long overdue and only represents a first step, says Chris Hallenbeck, a former official at DHS and US-CERT who is now CISO for the Americas at endpoint security firm Tanium.

"We have to move away from what has been a completely voluntary system of cybersecurity for the pipeline sector," he says. "They have basically been able to say, 'We don't want you to come in and inspect us,' and the DHS did not have the resources to argue."

The security directive will augment the DHS's current Pipeline Cybersecurity Initiative, created in October 2018, which lists threat assessments as voluntary. The directive will require operators "to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks," states DHS's announcement of the directive.

Yet adoption of the cybersecurity recommendations have, to date, been lacking, said John Dickson, principal of the software-security consultancy Denim Group, in a recent interview with Dark Reading. In fact, outside of major oil and gas companies, such as Exxon Mobil and Shell, getting the industry to take cybersecurity seriously has been a slow march, he says.

"The downstream guys, as these pipeline companies are called, don't give a flying frog about cybersecurity," Dickson said. "How do we get these guys to do the right thing absent a breach? To them, risk in the physical realm is a pipeline explosion. They don't see cyberattacks as a risk — or they didn't."

Most cybersecurity executives see the security directive as a start to getting the pipeline sector to consider cybersecurity more carefully, not a definitive step to solving the problem of companies facing operational disruption due to cyberattacks. 

Knowing that data on attacks and details of incidents could be made public in the future may be enough to get the industry to commit to cybersecurity more fully, says Duncan Greatwood, CEO of zero-trust security firm Xage.

"The creation of a hack report is not itself a major change, since companies are already doing this internally," he says. "What will make a difference to companies is the knowledge that the attack information will be shared in future and even made public in many cases."

Colonial Pipeline paid about 75 Bitcoin, or $4.4 million, on May 8, the day after it discovered it had been struck by ransomware, according to reports. That's despite claiming on May 12 that it would not pay the ransom.

The US government, through the US Department of the Treasury's Office of Foreign Assets Control (OFAC), has begun to warn companies that paying ransoms to sanctioned groups could put them in legal jeopardy. Some cybersecurity experts recommend such moratoriums be expanded.

"We need to decide whether to make paying ransoms should be illegal," says Tanium's Hallenbeck. "By continuing to pay, we are guaranteeing that future attacks will be profitable for attackers."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2597
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2017-2631
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2017-2657
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2017-7527
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2021-41615
PUBLISHED: 2022-08-08
websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1...