Can critical infrastructure pipeline owners and operators flat out prevent another ransomware attack similar to the one that knocked Colonial Pipeline on its back for five days?
The answer: No. But the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) is getting there, issuing a security directive that requires owners and operators of critical infrastructure pipelines to implement specific mitigations to protect against ransomware attacks. The agency has also ordered critical pipeline owners and operators to:
- Develop and implement a cybersecurity contingency and recovery plan.
- Conduct a cybersecurity architecture design review.
The order is particularly important to managed security service providers (MSSPs) engaging customers in the energy sector and other critical infrastructure segments.
“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” said DHS secretary Alejandro Mayorkas of the new TSA directive. “Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security," he said.
TSA Doubles Down On U.S. Pipeline Infrastructure Security
It’s the second security-related command that TSA has directed at the pipeline sector in the past two months. Last May, in the immediate wake of the Colonial Pipeline ransomware attack, TSA issued its first ever mandatory security order aimed at shoring up the nation’s oil and gas pipelines to repel cyber offensives. The instruction requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to DHS' Cybersecurity and Infrastructure Agency (CISA). In addition:
- Owners and operators must designate a 24/7/365 cybersecurity coordinator.
- Critical pipeline owners and operators will be required to review their current practices and identify any gaps and related remediation measures to address cyber-related risks.
- Results must be reported to TSA and CISA within 30 days.
In developing the pipeline industry security requirements, TSA said it was advised by CISA on cybersecurity threats to the sector as well as technical countermeasures. Taken together, the two directives mark TSA's intention to not just help but insist that pipeline owners and operators shore up their operations against hackers.
Pending Legislation: Cyberattack Disclosure Requirements
Meanwhile, Virginia Senator Mark Warner (D) is advocating for new legislation that would require private companies — including MSSPs and their customers — to report cyber attacks to the federal government. It would affect the critical infrastructure pipeline industry.
Warner, who chairs the Senate Intelligence Committee and serves as vice chair of the Senate Democratic Caucus, said that the nation has regarded cybersecurity as an “after thought” for too long. “We have no actual system in place to make, whether it’s Colonial Pipeline or SolarWinds, or any other company, actually mandatorily report that information to the government in real time so that we can have a full-fledged response,” the former Virginia governor said. Warner adds another powerful voice to U.S Intelligence leaders who last month pressed Congressional lawmakers to require private industry to report security breaches and other threat information to the federal government.
Legislators pushing for such laws have received a boost from newly installed CISA Director Jen Easterly and Chris Inglis, the inaugural White House national cyber director.
At her recent nomination hearing, Easterly said that “voluntary standards are not getting the job done and there probably is some sort of role for making some of these standards mandatory to include notification." The new CISA director said it's "important that when there’s a significant cyber incident that critical infrastructure companies have to notify the federal government, in particular CISA. We have to be able to warn other potential victims,” she said.
At the same forum, Inglis said that the nation must have confidence that “our critical services, our critical functions…will be delivered.” Considering that voluntary reporting and market forces are not propelling companies to report cyber incidents, “some imposition of standards or regulation on top of that, we begin to take steps in that direction,” he said.
MSSP Contracts and Cyber Incident Disclosures
Any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government.