Hot on the heels of an executive order aimed at standardizing federal response to cyber attacks and creating new reporting requirements for government vendors, the Department of Homeland Security (DHS) is establishing its own requirements specifically for companies in the oil pipeline industry. Some of these new cybersecurity regulations have been in the works for some time, but the rapid rollout of changes comes in response to the Colonial Pipeline ransomware attack that created temporary gas shortages in states along the eastern and southern coasts of the country.
DHS sets new cybersecurity regulations for pipeline industry
The new requirements are the first cybersecurity regulations that are specific to the pipeline industry. DHS will be rolling the new regulations out gradually over the coming weeks, but one directive was put in place immediately: pipeline companies are now required to report cybersecurity incidents to federal authorities immediately.
The new cybersecurity regulations appear to be the purview of the Transportation Security Administration (TSA), which works as a division of DHS. Senior DHS officials have said that the ongoing cybersecurity regulations, expected to roll out over the summer, will include new security requirements for the IT systems of pipeline companies and a mandatory action plan that must be followed in the wake of a cyber attack.
DHS previously had only voluntary guidelines in place for the industry of some 3,000 companies, first issued in 2010. The situation changed quickly with the Colonial Pipeline ransomware attack, which caused gas deliveries to retail outlets and airports to cease for over a week as the company attempted to get billing and tracking systems back online. The company, which is the central source of gasoline for most of the states on the eastern and southeastern coast, ended up paying the hackers a $4.4 million ransom in a bid to end the attack.
The first of the new cybersecurity regulations for the industry requires pipeline companies to appoint a cyber official who is given access to a 24/7 direct line to the TSA and the Cybersecurity and Infrastructure Security Agency (CISA) to report cybersecurity incidents as they are detected. The new regulation also tasks these officials with reviewing the security posture of their systems, though at the moment they will only be asked to hew to the existing voluntary guidelines to inform potential additions and updates. The new mandatory security requirements have yet to be determined, but DHS senior officials have said that there will be “financial penalties” for non-compliance.
The executive order issued by the Biden administration earlier in the month is likely to become relevant to this situation very quickly, as certain utility providers will now find themselves regulated by two (or more) agencies that may have different cybersecurity regulations. One of the central items addressed by the executive order is a plan to standardize information sharing, defense measures and reporting protocols across all federal agencies. Marty Edwards, VP of OT Security at Tenable and longest-serving director of ICS-CERT, thinks that it will take voluntary industry measures in addition to the mandates of the executive order: “The recently announced Executive Order on cybersecurity calls on federal agencies to adopt zero trust architectures. We see this as a good model in general and are encouraged by the government’s efforts to protect the operational technology and control systems that deliver our vital services. But we should not over-rotate and rely entirely on the government. Ultimately, critical infrastructure providers will need to exercise a standard of care to safeguard their systems and the people who rely on them.”
Cybersecurity regulations face complications
The industry is worried not just about burdensome and conflicting cybersecurity regulations coming from multiple agencies, but also the TSA’s competence to operate in this area. The TSA is presently tasked with overseeing both the physical and cyber security of the nation’s pipelines, yet as of 2019 reported having only five staffers in its pipeline security division. At times over the years there has only been one employee in the division. DHS is attempting to assuage these concerns by having CISA take on a share of this responsibility, as well as assisting in onboarding and training 16 new TSA staffers assigned permanently to the department. CISA itself will be beefed up with 100 new staff members assigned to support TSA’s pipeline security division.
The process may also be complicated by the fact that the oil and gas industry does not have any sort of internal standard for its IT processes, and all of these thousands of companies require many workers to have remote access. After a spate of attempts on oil infrastructure, some prominent forces in the industry (most notably the American Gas Association and American Petroleum Institute) have indicated support for a voluntary cybersecurity standard. However, even in the wake of the Colonial Pipeline incident many in the industry still fiercely resist any sort of government cybersecurity regulations. Edgard Capdevielle, CEO of Nozomi Networks, observes that the pipeline industry faces unique challenges in this area: “The distributed nature of the oil and gas sector makes this extra challenging. It requires many different forms of connectivity and can be more difficult to secure. These environments are distributed and physically remote. No two operators are alike in terms of the exact processes and systems they’re using, which makes it harder to establish one set of cybersecurity requirements that will work effectively for all. There will need to be some flexibility and collaboration to make it work. While there’s a place for regulated security requirements, we need to be careful not to put all the burden on the victim(s). Tax incentives, and government-funded centers of excellence will help ensure critical infrastructure operators can build and maintain effective cybersecurity programs over time. And it’s time to take aggressive steps to hold sophisticated criminal rings and threat actors accountable for their crimes.”
Joseph Neumann, Cyber Executive Advisor at Coalfire, agrees with the prevalent anti-regulation view in the industry but comes at it from a different angle: “Regulations have never helped a company improve its security posture. Additionally, requirements that are only requiring reporting of incidents does not help the industry or anyone in any way. If any regulations were to be passed down, mandatory external audits and security assessments are really the only way to get these companies to improve their overall security. The power generation sectors like this frequently lag behind in security posture with aging infrastructure and legacy systems that have been in place for decades. These organizations over the years have slowly blended their corporate and Operational Technology networks together creating a nasty opportunity for bad things to occur as we have seen in the Colonial Pipeline incident … The Executive Order has no real requirements or changes that will be preventative in nature and are only really reactionary changes. The administration needs to work with Congress to develop and work towards a comprehensive long term plan that involves partnerships. The Federal Government itself is struggling to keep its systems secure as seen from the recent SolarWinds breaches and rush mitigations pushed down by the Department of Homeland Security. Everyone needs to be rowing the boat in the same direction to tackle this global problem of ransomware and cybercriminals.”
Given the dispersed nature and that it has operated only on barely-enforced voluntary standards for so long, it will also likely take companies in the pipeline industry a substantial amount of time to spin up even after mandatory security standards are established. Mark Logan, CEO of LogRhythm, sees this process unfolding slowly over the rest of the year (or more): “Since most of these companies are starting at a low baseline for security (or even from scratch in some cases), the government will provide some leniency and time for these companies to reach an appropriate level of protection. They may even start with very simple things like establishing accountability for security, having an incident response plan, conducting third party assessments to determine level of exposure and risk, deploying basic controls and safeguards like endpoint and network protections, detections, and response technologies, and enforcing limited privileged access and multifactor authentication. The government will likely mandate security processes, procedures and testing as well. We’ll ultimately see a lot of NIST based controls being required since that is the basis for much of the government and regulated industries.”