zorandim75 - Fotolia
The U.S. Department of Homeland Security posted a directive Thursday outlining stricter security requirements for oil and gas pipeline operators.
The DHS directive includes mandates that all companies retain at least one security expert to liaison with the government and report any possible network security breaches. In the directive, issued through the Transportation Security Administration (TSA), the Department told pipeline owners they will now be required to report any possible cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA).
Among the incidents that will now need to be disclosed are denial-of-service attacks, unauthorized system or network access, the discovery of malware on company machines, and instances of physical sabotage, such as damaged cables or controllers.
"Owner/Operators must report the information required by [the directive] as soon as practicable, but no later than 12 hours after a cybersecurity incident is identified," the mandate said.
In order to speed up the reporting process, companies will now have to designate a security professional to serve as a round-the-clock go-between from the pipeline operators to CISA and the DHS.
The person, as described by the directive, will "coordinate cyber and related security practices and procedures internally and work with appropriate law enforcement and emergency response agencies" in a role that, the DHS stressed, will have to be on call 24 hours a day, seven days a week. Pipeline operators have just seven days from the release of the directive to designate a coordinator.
In addition to hiring a cybersecurity coordinator and reporting any and all possible network breaches and cyberattacks, pipeline companies are being told to undergo a vulnerability assessment based on the 2018 TSA Pipeline Security Guidelines.
The aim of this requirement is to "assess whether current practices and activities to address cyber risks to owner/operators Information and Operational Technology systems align with the guidelines; identify any gaps; and identify remediation measures that will be taken to fill those gaps and a timeline for implementing these remediation measures."
The directive comes in direct response to this month's catastrophic network breach and subsequent ransomware infection that forced Colonial Pipeline to shut down its fuel delivery systems. Hackers operating under the ransomware group DarkSide were able to break into Colonial's corporate IT network and infect enough systems to trigger a precautionary shutdown of the entire Colonial oil and gas pipeline.
The resulting fuel outage triggered panic along much of the U.S. Southern and Eastern Seaboard, as people flocked to gas stations, while Colonial scrambled to clean up the malware and restore its IT systems. It was later revealed that Colonial had paid a ransom of approximately $5 million in cryptocurrency in order to recover and prevent the release of the stolen data.
The incident brought renewed attention to the security of U.S. infrastructure and stoked fears that cybercriminal groups, in addition to sophisticated state-sponsored attackers, could pull off network attacks capable of inflicting serious damage on the U.S. economy.
"Financially motivated threat actors conducting ransomware operations pose a clear threat to this sector, but it is also a risk from destructive and disruptive attacks conducted by state actors, who have repeatedly conducted reconnaissance of these systems," said Stacy O'Mara, government affairs director at FireEye. "Given the industry's critical nature, and the potentially catastrophic fallout from disruption, it is an enticing target."
While Colonial was not mentioned by name in the directive, DHS did make a point of referencing the attack in its announcement.
"The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security," said Homeland Security Secretary Alejandro Mayorkas in a statement. "DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation's critical infrastructure."
In the meantime, pipeline operators will have to spend the next week to get all of their required appointments, procedures and security assessments in place and on file for the TSA.