By: Daniel Simonds – GTPF
Following the Colonial Pipeline ransomware attack on May 27, 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) announced a Security Directive that issued cybersecurity requirements for critical pipeline owners and operators. The purpose of this directive is to “enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector.”
There are four major requirements listed in this directive. First, critical pipeline owners and operators must report all confirmed or potentially arising cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Second, critical pipeline companies must designate a Cybersecurity Coordinator who is available 24 hours a day, seven days a week. Third, critical pipeline owners and operators must review their current practices. Fourth, critical pipeline owners must identify any gaps in their practices, the methods of remediation that can be used to address gaps in practice, identify potential cyber risks and threats, and then report the results to TSA and CISA in 30 days. This directive also mentioned that TSA was exploring a follow-up directive that would introduce mandatory measures that would further support enhancing cybersecurity practices in the pipeline industry and strengthen the public-private partnership and coordination efforts regarding critical infrastructure cybersecurity.
On July 20, 2021, TSA announced a second Security Directive, building upon the May 27th directive, that requires owners and operators of “TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.” TSA worked directly with CISA to develop this second directive, and CISA advised TSA on specific cyber threats to critical infrastructure and countermeasures that can be taken to prevent or protect against them.
The requirements listed in this second Security Directive are that TSA-designated critical pipeline companies must “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.” Furthermore, when announcing this second directive Secretary of Homeland Security Alejandro N. Mayorkas reiterated the importance of the public-private cybersecurity partnership in protecting our critical infrastructure systems, stating this partnership is “critical to the security of every community across our country.”
Historically, the cybersecurity relationship between private industry and the government has been one of advisement so, what is important about these two directives is that they demonstrate the government will put forth regulations on the private sector. These directives are a step towards protecting our nation’s critical infrastructure from cyber threats, however, more can be done. The first directive will enhance private-public cooperation by requiring the reporting of incidents and establishing a cybersecurity coordinator. Reviewing practices, identifying gaps, and reporting them will help raise awareness of weaknesses and ways to fix them, but there is no mention of DHS requiring that companies take action to fix the weaknesses. The second directive is also focused on “mitigation” and “recovery” efforts. This will help pipeline companies get back to operational status quicker, but these directives do not mention any enforced practices and procedures that critical pipeline companies must take to protect their systems. Going forward, it would be beneficial to the overall security of critical pipeline companies if government regulations that require these companies to take measures to better protect their systems were enforced.
Citations:
“DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators.” Department of Homeland Security, 20 July 2021, www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.
“DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators.” Department of Homeland Security, 27 May 2021, www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.