DHS Issues Cyberattack Disclosure Policies for Pipeline Owners
The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has issued its first ever mandatory security directive aimed at shoring up the nation’s oil and gas pipelines to repel cyber attacks.
The order will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). There’s more:
- Owners and operators must designate a 24/7/365 cybersecurity coordinator.
- Critical pipeline owners and operators will be required to review their current practices and identify any gaps and related remediation measures to address cyber-related risks.
- Results must be reported to TSA and CISA within 30 days.
TSA, which operates as a unit of DHS as does CISA, is also considering other mandatory measures that will further support the pipeline industry to strengthen cybersecurity and glue collaborations with the private sector, officials said. The agency is expected to roll out specific rules for how pipeline companies must protect their systems and conduct incident response. Previous TSA cybersecurity guard rails have been voluntary.
MSSPs and Mission Critical U.S. Infrastructure: Navigating the Regulations
The federal government’s heightened cyber activity comes on the heels of the Colonial Pipeline ransomware attack that forced the company to shutter operations for 11 days. Colonial’s chief executive recently confirmed the company paid hackers $4.4 million to recover from the attack.
While it’s too soon to anticipate how the directive may impact the service provider community, it’s not too much to say that the regulations could require MSSPs to adjust their cybersecurity packaging, service level agreements and disclosure policies in the energy sector. IT service providers are clearly in the federal government’s eyesight. President Biden’s cybersecurity executive order, issued in early May 2021, referenced IT service providers more than a dozen times.
“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
Both TSA and CISA will have added responsibilities to secure the nation’s critical infrastructure facilities. TSA has worked closely with pipeline owners and operators and its partners across the federal government to enhance the physical security preparedness of U.S. hazardous liquid and natural gas pipeline systems for the past 20 years. And, CISA, the country’s cyber central and lead agency to safeguard U.S. critical infrastructure, will support the effort with cybersecurity resources to mitigate potential risks, including a dedicated hub that disseminates information to organizations, communities, and individuals about how to better protect against ransomware attacks.
Cybersecurity and Critical U.S. Infrastructure: Where the CISA Fits In
Because TSA has not previously attended to cybersecurity or pipelines it is likely to lean on CISA for cyber expertise and direction. Indeed, TSA may hit some staffing stumbling blocks to fulfill its new regulatory role, the Washington Post, which first reported the impending DHS directive, said. As of two years ago, the agency’s cybersecurity staff had only five people. Collaborating with CISA will help fill the gap along with plans to hire 16 more people at TSA and 100 at CISA, the report said.
The new regulations drew a response from the regulatory community. While they’re a good first step it’s not yet enough, said Robert Cattanach, a partner at the international law firm Dorsey & Whitney who specializes in regulatory litigation, including cybersecurity. “The next, and more meaningful, phase of cyber regulation anticipated within weeks will include escalating penalties for companies that fail to take corrective action, and more proscriptive regulatory requirements, resulting in significantly greater scrutiny of the pipeline industry by government regulators,” he said in an email.
Earlier in May 2021, support for legislation that would set mandatory standards to secure pipelines picked up an important advocate in Energy Secretary Jennifer Granholm, who backed the idea in remarks before a House Committee on Energy and Commerce Subcommittee hearing.