The Department of Homeland Security's Transportation Security Administration released new cybersecurity guidelines for pipeline owners and operators following the ransomware attack on the Colonial Pipeline that left thousands of people in the US scrambling for gas for about a week.
Colonial has faced backlash in recent weeks for how they responded to the attack and for admitting they paid the attackers almost $5 million for tools to restore their systems. The tools they got in return did not help, and the federal government had to step in to help the company get back online as gas prices on the East Coast spiked.
The new DHS directive, which was first reported by The Washington Post earlier this week, forces pipeline owners to report any cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency and requires all pipelines to have a Cybersecurity Coordinator who can be on call 24/7.
All pipeline operators will also have to send CISA and TSA a report in 30 days about "their current practices as well as to identify any gaps and related remediation measures." In addition to the new measures, TSA is considering other mandatory measures for pipelines and in a statement, DHS said the security directive would allow them to "better identify, protect against, and respond to threats" directed at the country's pipelines.
Secretary of Homeland Security Alejandro Mayorkas said the department had no choice but to adapt to the "new and emerging threats" that continue to evolve.
"The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security," Mayorkas said. "DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation's critical infrastructure."
The Washington Post noted that the attack on Colonial caused the pipeline to shut down for 11 days and left federal officials shellshocked considering the devastating effects to the airline, transit and chemical industries if the shutdown went on for much longer.
The first set of cybersecurity guidelines for pipelines were issued in 2010 and updated in 2018 by TSA but have faced backlash for being voluntary and lackluster considering the evolution of cyberattack capabilities.
If any of the new regulations are violated, pipelines will face financial penalties, according to DHS officials who spoke to The Washington Post.
The US currently has more than 3,000 pipeline companies managing nearly three million miles of pipeline in the country. The government has faced criticism in Congress and from pipeline operators for having a TSA office staffed with just six people watching the cybersecurity of all oil and gas pipelines.
There has also been significant debate over which government agency would be better suited to protecting the cybersecurity of the country's pipelines, with some in the House Energy and Commerce Committee arguing that the Energy Department is more experienced in the field than TSA.
Cybersecurity experts had mixed responses to the new regulations. Some said they did not do enough to force pipeline operators to take cybersecurity seriously while others worried that the burden was being put on victims to protect themselves.
Jim Gogolinski, vice president at iboss, said the directive is likely being modeled after the existing NERC CIP standards that are designed to prevent and mitigate attacks against critical electrical infrastructure.
"Reporting is obviously a key part of that but so are security protocols, system management, and personnel training. The NERC CIP standards are followed closely because fines for not complying can reach as high as $1 million per day per violation," Gogolinski said. "If the new pipeline directive includes similar fines, we would expect to see swift efforts by the industry to come into compliance."
Nozomi Networks CEO Edgard Capdevielle said his company works with oil and gas enterprises around the world and noted that like most critical infrastructure sectors in the US, the oil and gas industry did not have mandatory cyber standards until now.
The mandatory breach reporting requirement would allow for more collaboration between pipeline operators, security vendors and the government, Capdevielle said, adding that an open approach to information sharing will play a big part in building a more mature cyber defensc.
"The distributed nature of the oil and gas sector makes this extra challenging. It requires many different forms of connectivity and can be more difficult to secure. These environments are distributed and physically remote," Capdevielle said.
"No two operators are alike in terms of the exact processes and systems they're using, which makes it harder to establish one set of cybersecurity requirements that will work effectively for all. While there's a place for regulated security requirements, we need to be careful not to put all the burden on the victims. Tax incentives and government-funded centers of excellence will help ensure critical infrastructure operators can build and maintain effective cybersecurity programs over time."
Other experts, like Coalfire cyber executive Joseph Neumann, were far less excited about the new rules, telling ZDNet that regulations "have never helped a company improve its security posture."
The mandatory reporting requirements does not help the industry or anyone in any way, he said, explaining that mandatory external audits and security assessments would be better requirements to force companies to improve their overall security.
"The power generation sectors like this frequently lag behind in security posture with ageing infrastructure and legacy systems that have been in place for decades. These organizations over the years have slowly blended their corporate and Operational Technology networks together creating a nasty opportunity for bad things to occur as we have seen in the Colonial Pipeline incident," Neumann said.
"The Federal Government itself is struggling to keep its systems secure as seen from the recent SolarWinds breaches and rush mitigations pushed down by the Department of Homeland Security."
John Bambenek, the threat intelligence advisor at Netenrich, said that while the mandatory notification rule will get the most press, the protective regulations are far more important.
"The facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached," Bambenek said. "A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing future incidents."