The Department of Homeland Security will order Thursday that critical pipe operators comply with various cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours, according to DHS officials.
Following the debilitating ransomware attack earlier this month against Colonial Pipeline, which operates a major pipeline, department officials rushed to take measures they believe will better secure the industry at large and help identify and prevent cyberattacks.
Under the forthcoming Transportation Security Administration safety directive, these pipeline companies will be required to report both confirmed and possible incidents to DHS’s cybersecurity branch.
Pipeline owners and operators will also need to designate a “24/7, always available” cybersecurity coordinator who can respond to incidents and coordinate with TSA and the department’s Cybersecurity and Infrastructure Agency, an official from the DHS during a briefing.
Within 30 days, these companies will also need to complete and evaluate how their practices fit in with TSA’s long-term pipeline guide, identify gaps, and propose plans to address them.
On Tuesday, CNN reported on its plans to require pipe companies to report cyberattacks to the federal government, a change from the current voluntary reporting system, according to a source familiar with the plans.
TSA is responsible for transportation safety, including hazardous materials and pipe safety, and has guidelines for industry. However, this will be the first time that the critical pipeline sector has the mandate to report cybersecurity incidents.
The directive will apply to about 100 companies considered to have the most critical pipelines in the United States, a DHS official said. Companies are aware of their critical condition and are familiar with existing safety guidelines, according to the official.
In response to the cyberattack, Colonial Pipeline halted operations, prompting a gasoline purchase and panic. Following the incident, Biden administration officials privately expressed frustration at what they saw as Colonial Pipeline’s weak security protocols and lack of preparedness, CNN previously reported.
The incident highlighted that ransomware, which is primarily a profit-based criminal enterprise, “can reach the level of posing a national security risk and disrupting critical national functions,” a DHS official said.
The total paid by ransomware victims increased by more than 300% in 2020, reaching nearly $ 350 million, according to a report by the Ransomware Task Force, made up of industry experts, government agencies and academic institutions.
There are financial sanctions associated with non-compliance with safety directives, a DHS official said, which can be imposed on a daily basis, so that “they can increase quite significantly over time.”
The fine range starts around $ 7,000 and depends on the specific offense, the official added.
In response to the ransomware attack, a Colonial spokesman said earlier that the company was “proactively taking certain offline systems to contain the threat,” which temporarily halted all pipeline operations affecting some of the systems. of IT.
According to a DHS official, the colonial incident showed that even when only the IT system is affected and not the operating technology systems, it can “cause major disruptions.”
Last week, Colonial Pipeline CEO Joseph Blount admitted he had authorized a $ 4.4 million ransom payment in response to the company’s cyber attack on the network, calling it a “highly controversial decision.” in an interview with the Wall Street Journal.
While acknowledging the “difficult choice” for businesses, the U.S. government strongly advises against paying the ransom, as there is no guarantee of recovering your decrypted data and paying ransom further fuels the epidemic of ‘criminal activity,’ a DHS official said about ransomware attacks in general during news reporting.
The industry “was preparing a heavier set of cyber standards,” former DHS Deputy Secretary for Infrastructure Protection Brian Harrell told CNN.
“I applaud TSA for seeking experience in cybernetics at CISA. This, combined with knowledge of TSA’s surface infrastructure, could lead to a satisfactory compliance regime. I think everyone is still interested in understanding which pipelines have the scope and whether TSA has the appropriate risk analysis.Independently, Congress should fund that effort and TSA should hire additional staff, like yesterday, “he said.
The Cybersecurity and Infrastructure Security Agency does not plan to release compliance information on specific pipelines, due to possible security risks, but the new requirements will allow the agency to produce a better aggregate analysis of vulnerability and risk. in the pipeline sector, according to DHS officials. .
An official stressed that the safety directive is the first step, which should be “followed further”, but did not provide specific details on future plans. Another official said the department is thinking about how this safety directive can serve as a model for the agencies involved and a potential future regulatory approach, adding that they want to avoid a “box-type compliance regime”.
TSA currently has a level in the safety sections of the pipes to be able to respond to the issues that this safety directive will cover and the future actions that TSA will take, another DHS official said.
But the official said the agency continues to expand its cybersecurity group within the pipeline team to be able to conduct additional cybersecurity assessments at pipeline facilities.
TSA has pledged to conduct 52 cybersecurity assessments, called “validated architectural design review,” in collaboration with the Security and Cybersecurity Agency this fiscal year.