The Colonial Pipeline ransomware incident prompted an executive order by the Biden administration aimed at shoring up the cybersecurity of the nation’s infrastructure, with a key component being a special directive from the Transportation Security Administration (TSA) requiring pipeline operators to change reporting and monitoring procedures. A second TSA security directive has now followed, this one adding more requirements for specific mitigation measures as well as establishing contingency and recovery plans.
Second TSA security directive adds more concrete defense & response elements
The first TSA security directive, handed down in May, was mostly about review and reporting. Pipeline operators were given 30 days to look over their cybersecurity posture for gaps and needed remediation measures, and file a report on these with TSA and the Cybersecurity and Infrastructure Security Agency (CISA). These organizations were also given new reporting procedures (routed through CISA), required to appoint a Cybersecurity Coordinator available around the clock, and to review current related practices.
The new TSA security directive appears to be an outgrowth of the feedback received from the first. Both directives apply to pipeline operators that handle hazardous liquids and natural gas. The new requirements include “specific mitigation measures” developed by CISA that must be implemented, which appear to have a special focus on stopping ransomware attacks. Pipeline operators will also be required to develop and implement cybersecurity contingency and recovery plans, and to conduct a cybersecurity architecture design review.
Secretary of Homeland Security Alejandro N. Mayorkas issued a statement on the new security requirements: “The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats. Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”
Pipeline operators face new security challenges
The ransomware attack on Colonial Pipeline, which held up gas deliveries to states along the East Coast for nearly a week and caused some gas stations to temporarily run out of supply, was an obvious prompt for the new TSA security directive. But infrastructure has long been a concern, and has long been probed by foreign nations for vulnerabilities. The DHS and FBI recently revealed that Chinese state-backed threat groups targeted 23 U.S. natural gas pipeline operators from 2011 to 2013, conducting phishing campaigns that granted some level of access to 13 of them.
There has been some concern about attackers accessing industrial controls and using them for damaging sabotage that could potentially be dangerous to human life, but the Colonial Pipeline and JBS incidents demonstrated how much chaos can be caused by simply shutting down supply lines for an extended period. In addition to playing havoc with the lives of commuters and local businesses, the attack on pipeline operators also raised the prospect of flights being cancelled due to lack of fuel for planes.
We likely won’t know exactly how rigorous the new cybersecurity demands on pipeline operators will be, as details are being kept from the public so as not to provide useful information to aspiring hackers. The administration is also limiting details on enforcement terms, so it is also unknown what penalties (if any) pipeline operators will face for failing to implement whatever is prescribed by the TSA security directive. The only element that is known is that the new requirements will apply both to business IT systems and to industrial hardware that might interface with the outside world via the internet.
Prior to these recent TSA security directives, pipeline operators were subject to very little in the way of cybersecurity regulations. Some federal standards and guidance were available, but adoption was voluntary and the industry largely self-policed with outside regulation focusing almost exclusively on physical infrastructure and elements. Apparently comfortable with this state of affairs, there has been industry pushback even in the wake of the Colonial Pipeline incident. The American Public Gas Association (APGA), a trade group that represents pipeline operators, has called the new rules too vague and asked for more time to implement them. The APGA also argues that some members are subject to local government approval for increases to budgets needed to implement these changes. Another industry group, the American Petroleum Institute, has pushed back against the involvement of CISA in cybersecurity enforcement and called for the existing TSA oversight to be maintained but with better funding for the agency.
The general public thus has good reason for not being particularly reassured by the new TSA security directives. Some reasonable guesses can be made as to what pipeline operators will now be required to do, such as implementing multi-factor authentication across networks to help curb phishing, but it is impossible for outside observers to measure how well the new mandates are keeping pace with the ever-changing cybersecurity landscape. It is likewise impossible to tell if enforcement is strict enough that it is actually prompting these companies to implement the required changes.
Roger Grimes, data driven defense evangelist at KnowBe4, has a pessimistic view of how the TSA security directives will unfold: “Adding another requirement on top of all the other requirements and regulations overtop of what they already know they should be doing is likely not going to result in being significantly more resilient to cyber attacks … A malicious hacker is more likely to be struck by lightning, twice, than to get arrested for hacking. We need to significantly secure the internet itself, to make it more secure by default. We will stop more bank robbers when we stop allowing so many banks to be robbed and for all the bank robbers to get away … it is not a technical problem. It is a sociological problem…it is a human problem. One day, some digital 9/11-type event will happen to the internet, and when it does, enough enemies and competitors will come together against a common foe that we actually get the support to push the new technology … One more regulation on an industry is not going to change the problem. How do I know? Because we have had three decades of increased regulation and the problem is only getting worse each year.”