The U.S. Department of Homeland Security’s Transportation Security Administration (TSA) released on Thursday a Security Directive that requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA).
The security agency also called for the appointment of a ‘Cybersecurity Coordinator,’ to be available 24 hours a day, seven days a week. It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
The TSA is also considering follow-on mandatory measures that will further support the pipeline industry, in enhancing its cybersecurity and strengthen the public-private partnership that is critical to the cybersecurity of the nation.
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
The TSA Security Directive also highlights the critical role that CISA plays as the country’s national cyber defense center. Last December, Congress, through the National Defense Authorization Act, empowered CISA to execute its mission to secure federal civilian government networks and our nation’s critical infrastructure from physical and cyber threats.
The CISA doesn’t plan to release compliance information on specific pipelines, because of potential security risks, but the new requirements will allow the agency to produce a better aggregate analysis of vulnerability and risk in the pipeline sector, according to DHS officials.
The DHS directive comes after Colonial Pipeline was hit by DarkSide ransomware leading to a compromise of the fuel pipeline company’s IT networks, and affecting its operations. The company is reported to have paid close to nearly $5 million as a ransom to the DarkSide ransomware attackers, after its operations were hit on May 7.
The U.S government released this month an Executive Order that aims to bring about decisive steps to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.
The order also covers the protection and security of the IT systems that process data, and the OT (operational technology) environments that run the vital machinery to ensure safety, while incorporating the scope of its authorities and resources to protect and secure its computer systems, irrespective of whether they are cloud-based, on-premises or hybrid.
Apart from its Security Directive, the TSA has also amended in April its guidelines on Pipeline Security Guidelines to include the ‘criticality’ clause. The objective in determining which pipeline facilities are critical is to ensure that reasonable appropriate security risk reduction measures are implemented thereby reducing the impact of service disruptions to critical infrastructure and the public.
The TSA is responsible for notifying pipeline operators of TSA-designated critical pipeline systems, and operators should pay particular attention to identifying critical facilities on these systems. A pipeline facility is considered critical if it provides primary service to designated critical infrastructure and is determined by the operator to be a “single point of failure.” TSA defines a single point of failure as a facility that if rendered inoperable would degrade service to critical infrastructure to the point that the infrastructure would not be able to satisfactorily perform its critical mission.
Earlier this year, CISA’s National Risk Management Center (NRMC) announced the publication of the Pipeline Cybersecurity Resources Library to provide pipeline facilities, companies, and stakeholders with a set of free, voluntary resources to strengthen their cybersecurity posture. The library includes a variety of resources such as cybersecurity assessments, tools, and services, risk reduction information, standards and guides, in addition to training from CISA, the Department of Energy, and the National Labs.
Commenting on the latest government move, Xage CEO Duncan Greatwood says that the DHS security directive is likely just the beginning of a larger process in which the U.S. government provides both incentives and regulation to push companies to cyber-harden their operations.
“The current directive mandates the reporting of attacks. The creation of a hack report is not itself a major change, since companies are already doing this internally. What will make a difference to companies is the knowledge that the attack information will be shared in future, and even made public in many cases,” Greatwood said in an emailed statement. “Once an attack is public knowledge, shareholders, partners, and boards of directors will expect further investigation and remediation—including investments in preventative measures that leverage the principles of zero-trust security.”