DHS Preparing More Cybersecurity Requirements for PipelinesNew Rules Come as Colonial Pipeline Ransomware Attack Investigations Continue
The Department of Homeland Security unit that's responsible for the safety of the nation's interstate pipelines is preparing additional cybersecurity requirements for oil and gas companies in the wake of the Colonial Pipeline Co. ransomware attack, a DHS official told congressional lawmakers at a House hearing Tuesday.
Sonya Proctor, the assistant administrator for surface operations at the Transportation Security Administration, testified that a new directive would require oil and gas firms to install additional risk mitigation measures and would demand specific security assessments.
TSA is responsible for the physical security as well as the cybersecurity of the nation's interstate gas and oil pipeline system.
"A second security directive, which would have the force of a regulation, will require more mitigation, which includes more specific requirements with regard to assessments," Proctor said while testifying before a joint hearing of the House Transportation and Maritime Security Subcommittee and the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee. "The second security directive is going to be more of a [sensitive security information] assessment because of the nature of the mitigation measures that are going to be required … and subject to inspection by [TSA] inspectors."
Proctor did not give a time frame for when the second round of requirements would go into effect. Last month, TSA and DHS issued a new cybersecurity directive that requires the operators of oil and gas pipelines to report ransomware attacks and other security incidents to the government (see: DHS Unveils New Cybersecurity Requirements for Pipelines).
While the new reporting and mitigation requirements should help improve cybersecurity reporting for the oil and gas industry, Rep. Yvette Clarke, D-N.Y., the chairwoman of the cybersecurity subcommittee, said that additional legislation is needed. For example, companies that oversee the nation's critical infrastructure must be required to work more closely with DHS and its Cybersecurity and Infrastructure Security Agency, Clarke said.
"I'm working on legislation that will require critical infrastructure to report certain cybersecurity incidents to CISA so that we're developing the muscle memory and the institutional knowledge to improve our cyber defenses over time," Clarke noted in her opening statement. "But this is only half the battle. CISA also needs real-time visibility into threats on private sector networks, so they’re empowered to collaborate with owners and operators before, during and after an attack - or prevent the attack from happening in the first place."
Colonial Pipeline Investigation Continues
Congress continues to investigate the May 7 ransomware attack that led Colonial Pipeline to shut down much of its operations for nearly a week, causing gas prices to spike and bringing additional attention to the nation's critical infrastructure (see: Will Ransomware Attacks Push Congress to Enact Regs?).
Colonial Pipeline CEO Joseph Blount later admitted that his company had paid a ransomware gang known as DarkSide a $4.4 million ransom payment to obtain a decryptor key, which proved to work and was checked by outside cybersecurity experts. The FBI later recovered about $2.3 million of the ransom payment.
During the Tuesday hearing, lawmakers continued to criticize Colonial Pipeline for not working more with CISA to conduct a security assessment and for its delay in working with TSA to conduct a cybersecurity review.
"Colonial still has not agreed to participate in the physical assessment, and only agreed to cooperate with TSA’s cybersecurity assessment three weeks after the ransomware attack occurred," said Rep. Bonnie Watson Coleman, D-N.J.
When he testified before Congress last week, Blount said the company has a long-standing relationship with TSA and declined help from CISA because the company had already hired outside security experts.
Lawmakers in the Senate and House are also weighing whether to draft legislation that would give DHS or CISA additional oversight of cybersecurity in critical infrastructure sectors such as oil and gas. Meanwhile, the Senate is expected to release a draft of a proposed federal breach notification law in the coming weeks (see: Colonial Pipeline Attack Leads to Calls for Cyber Regs).
Eric Goldstein, the executive director for cybersecurity at CISA, testified Tuesday that the ransomware attack against Colonial Pipeline and other recent cybersecurity incidents point to the need for new rules and regulations to protect the nation's critical infrastructure.
"It's very clear that as a nation, we must do more to address the risks of ransomware and other cyber intrusions affecting our nation's critical infrastructure," he testified. "We must gain increased visibility to cybersecurity risks and use this visibility to produce targeted guidance, to share actionable information and prioritize incidents when they do occur. TSA's recent security directive that requires reporting of cybersecurity incidents to CISA is one key step."
Proctor noted that TSA is willing to use its regulatory authority to require oil and gas companies to adhere to new physical security and cybersecurity rules.
In 2018, the Government Accountability Office released a report that criticized the TSA's pipeline security oversight and noted that an attack on a pipeline can have far-reaching consequences.
Andrew Barratt, managing principal for solutions and investigations at security consulting firm Coalfire, notes that the new requirements that TSA is proposing lack specifics and that the agency should rely more on guidance provided by agencies such as the National Institute of Standards and Technology to address some of the cyber shortfalls in the oil and gas industry.
"Where it falls down is a real lack of specificity as to what is expected to be done, no direct control framework or audit expectations to ensure a degree of enforcement," Barratt says. "As such, it seems that the TSA would be better off getting out of the standards creation process and leveraging NIST for that - and setting more clear objectives and audit and enforcement policies."