The Department of Homeland Security plans to issue a “security directive” in the coming days that would require pipeline companies to report cyberattacks to the federal government, a shift from the current system of voluntary reporting, according to a source familiar with the plans.
The plan to further regulate the pipeline industry comes about two weeks after Colonial Pipeline was hit with a paralyzing ransomware attack that led the company to halt operations at one of America’s most important pipelines, causing gas shortages in the Southeast.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with (Cybersecurity and Infrastructure Security Agency), is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead,” DHS spokeswoman Sarah Peck said.
The directive will be issued by the Transportation Security Administration, which is the lead federal agency for transportation security, including hazardous material and pipeline security.
It is still in the works and not finalized, the source said, adding that this would be the first step as the department continues to work on a more muscular proposal to enhance pipeline security.
The proposal was first reported by The Washington Post.
Currently, pipeline operators adhere to TSA security guidelines and report cybersecurity incidents on a voluntary basis.
Earlier Tuesday, Homeland Security Secretary Alejandro Mayorkas told reporters that “ransomware is one of the greatest cybersecurity threats that we face in the United States,” speaking at a TSA event about summer travel.
The department is “working very closely in a public-private partnership” to inform the business and cybersecurity community about how to prevent and respond to these attacks, he said.
The draft directive will require companies to report cyber incidents to the Cybersecurity and Infrastructure Security Agency, a division of DHS, another source familiar told CNN.
This is the first time TSA has required that these companies report cyber incidents, the source said, which the Biden administration considers a “first step” that can be taken quickly with various other robust requirements and ideas still in discussion.
Security directives are issued when there are pressing circumstances, as was done in the case of face masks, a DHS official said.
The use of a directive would allow the department to take these steps temporarily without needing new federal regulation or legislation. But those steps could be taken at a later date.
Meanwhile, Colonial Pipeline is still trying to narrow in on how its network was breached following the ransomware attack that resulted in closing down the critical pipeline, CNN previously reported.
The incident prompted a massive federal response to chase the perpetrators and prevent more breaches. In the wake of the attack, critical infrastructure companies have flocked to the Cybersecurity and Infrastructure Security Agency for information, spiking webpage hits for the agency’s ransomware resources.
Last week, the agency publicly released a set of technical data from the Colonial incident to help other companies and critical infrastructure utilities defend themselves against similar attacks.
There has been some frustration from within the Cybersecurity and Infrastructure Security Agency that some private-sector companies in critical infrastructure sectors still don’t view the agency as the first call to make in these kinds of incidents, a former DHS official told CNN.
Colonial Pipeline notified the FBI of the attack on the morning of May 7 and has continued to work with the FBI regularly, a spokesperson for the company previously said.
“They did not contact CISA directly,” Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, told lawmakers during a hearing Tuesday on Capitol Hill earlier this month. “We were brought in by the FBI after they were notified about the incident.”
When pressed on whether it was a “problem” that the cybersecurity agency was not directly notified, Wales said: “I think that there’s a benefit when CISA is brought in quickly because the information that we glean, we work to share it in a broader fashion to protect other critical infrastructure.”
The agency received information from Colonial Pipeline shortly after the incident occurred and subsequent updates were provided principally through the Department of Energy, a cybersecurity agency spokesperson previously told CNN.
US officials and cybersecurity experts have told CNN that the Colonial incident only reinforces the belief that private companies must do more to protect themselves from being targeted by ransomware attackers but that whether those standards should be regulated by the federal government remains a topic of debate.
“Companies need to do a better job securing their enterprises,” Adam Meyers, senior vice president of intelligence for the cybersecurity company Crowdstrike, told CNN, adding that “there’s some basic things that companies can do to make themselves a harder target.”
Criminal actors are going to “take the path of least resistance,” he said.
“We’re talking about building a slightly more secure enterprise, making sure that you have the latest technology. Organizations are really just not fighting hard enough to protect themselves,” Meyers said.
CNN previously reported that Biden administration officials had privately voiced frustration with what they saw as Colonial Pipeline’s weak security protocols and a lack of preparation that could have allowed hackers to pull off a crippling ransomware attack, according to officials familiar with the government’s initial investigation into the incident.
Last week, Colonial Pipeline CEO Joseph Blount told the Wall Street Journal that he had authorized a ransom payment of $4.4 million in response to the cyberattack on the company’s network, in the first public announcement about the payment.
The Cybersecurity and Infrastructure Security Agency and the FBI do not encourage paying a ransom to criminal actors because it may embolden adversaries to target additional organizations and does not guarantee that a victim’s files will be recovered.
“It was the right thing to do for the country,” Blount said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
Colonial’s pipeline system returned to normal operations on May 15, the company said, around a week after the ransomware attack was first discovered — helping to ease the gasoline shortages that plagued consumers on the East Coast.
House Homeland Security Chairman Bennie Thompson, a Mississippi Democrat, called the move to implement a security directive a “major step in the right direction.”
“While the Colonial Pipeline attack shows there is much more work to be done to protect the nation’s pipelines and other critical infrastructure from cyber attacks, this TSA security directive is a major step in the right direction towards ensuring that pipeline operators are taking cybersecurity seriously and reporting any incidents immediately,” he said in a statement.
TSA will remain the “federal entity responsible for pipeline security with the authorities to mandate security requirements,” Thompson said.
This story has been updated with additional information.