The Department of Homeland Security on Thursday will mandate that critical pipeline operators comply with several cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours, according to DHS officials.
In the wake of the debilitating ransomware attack earlier this month on Colonial Pipeline, which operates a major fuel pipeline, department officials rushed to enact measures that they believe will better secure the industry as a whole and help identify and prevent cyberattacks.
Under a forthcoming Transportation Security Administration security directive, these pipeline companies will be required to report both confirmed and potential incidents to DHS’ cybersecurity branch.
Pipeline owners and operators will also be required to designate a “24/7, always available” cybersecurity coordinator who can respond to incidents and coordinate with TSA and the department’s Cybersecurity and Infrastructure Security Agency, a DHS official said during a news briefing.
Within 30 days, these companies must also complete and assess how their practices line up with TSA’s long-standing pipeline guidance, identify any gaps and propose plans to remedy those gaps.
On Tuesday, CNN reported plans to require pipeline companies to report cyberattacks to the federal government, a shift from the current system of voluntary reporting, according to a source familiar with the plans.
TSA is responsible for transportation security, including hazardous material and pipeline security, and has guidelines in place for the industry. However, this will be the first time that the critical pipeline sector has been mandated to report cybersecurity incidents.
The directive will apply to around 100 companies considered to have the most critical pipelines in the United States, a DHS official said. The companies are aware of their critical status and are familiar with the existing pipeline security guidelines, according to the official.
In response to the cyberattack, Colonial Pipeline halted operations, leading to a run on gasoline and panic buying. After the incident, Biden administration officials privately voiced frustration with what they saw as Colonial Pipeline’s weak security protocols and a lack of preparation, CNN previously reported.
The incident highlighted that ransomware, which is primarily a criminal, profit-driven enterprise, “can rise to the level of posing a national security risk and disrupt national critical functions,” a DHS official said.
The total paid by ransomware victims increased by more than 300% in 2020, reaching nearly $350 million, according to a report from the Ransomware Task Force, which is made up of experts from the industry, government agencies and academic institutions.
There are financial penalties associated with failure to comply with security directives, a DHS official said, which can be imposed on a daily basis, so “they can ramp up pretty significantly over time.”
The fine range starts around $7,000 and depends on the specific violation, the official added.
In response to the ransomware attack, a Colonial spokesperson previously said the company “proactively took certain systems offline to contain the threat,” which temporarily halted all pipeline operations that affected some of the IT systems.
According to a DHS official, the Colonial incident showed that even when only the IT system is impacted, and not the operational technology systems, it can “lead to significant disruption.”
Last week, Colonial Pipeline CEO Joseph Blount admitted he had authorized a ransom payment of $4.4 million in response to the cyberattack on the company’s network, calling it “a highly controversial decision” in an interview with the Wall Street Journal.
While recognizing the “difficult choice” for companies, the US government strongly discourages paying ransom, because there is no assurance of getting your decrypted data back and paying ransom further fuels the epidemic of criminal activity, a DHS official said about ransomware attacks in general during the news briefing.
The industry “was bracing for a more burdensome set of cyber standards,” former DHS Assistant Secretary for Infrastructure Protection Brian Harrell told CNN.
“I applaud TSA for seeking the cyber subject matter expertise at CISA. This, combined with the surface infrastructure knowledge of TSA, could lead to a successful compliance regime. I believe everyone is still interested in understanding what pipelines are in scope, and if TSA has the proper risk analysis in place. Regardless, Congress needs to fund this effort and TSA needs to hire additional staff — like yesterday,” he said.
The Cybersecurity and Infrastructure Security Agency doesn’t plan to release compliance information on specific pipelines, because of potential security risks, but the new requirements will allow the agency to produce better aggregate analysis of vulnerability and risk in the pipeline sector, according to DHS officials.
One official emphasized that the security directive is the first step, to be “followed by more,” but did not provide specific details about future plans. Another official said the department is thinking through how this security directive might serve as a model for the agencies involved and a potential future regulatory approach, adding that they want to avoid a “check-the-box kind of compliance regime.”
TSA is currently staffed at a level in the pipeline security sections to be able to respond to the issues that will be covered by this security directive and the future actions that TSA will be taking, another DHS official said.
But the official said the agency is continuing to expand its cybersecurity group within the pipeline team, to be able to carry out additional cybersecurity assessments on pipeline facilities.
TSA has committed to conducting 52 cybersecurity assessments, called a “validated architecture design review,” in partnership with the Cybersecurity and Infrastructure Security Agency, this fiscal year.