On July 20, 2021, The Department of Homeland Security’s Transportation Security Administration (TSA) announced new requirements for U.S. pipeline operators to bolster cybersecurity following the May ransomware attack against Colonial Pipeline that disrupted gas delivery across the East Coast. If you’re keeping count, this is the second directive that the TSA has issued the pipeline sector in 2021. According to Alejandro N. Mayorkas, Secretary of Homeland Security, this directive allows the DHS to ensure the pipeline sector takes the proper steps to protect its operations against cyber threats.
Before we get ahead of ourselves, let’s back track for a second. Back in May, the first directive issued required all critical pipeline owners and operators to report confirmed and potential incidents, designate a 24/7 cybersecurity coordinator and reassess current practices to ensure all risks are addressed. If you recall part 1 of our Colonial Pipeline blog series, we provided a few tips for companies to strengthen their cyber defenses, calling attention to the importance of having visibility into your organization’s network environment and prioritizing basic security hygiene. This still rings true with the second directive. Preparation, planning and continuous maintenance are key to pipeline operators success during these challenging times.
Now back to the second directive. Another continuing theme here is the push for improved private sector cybersecurity oversight. Mayorkas stated that public-private partnerships are crucial to security and noted that the DHS plans to continue to work closely with and support private sector partners. This will be important moving forward as we look to increase cyber resiliency and better secure our nation’s critical infrastructure.
As the fight to safeguard against ransomware continues, the second directive requires TSA-designated critical pipelines to adhere to the following requirements: implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems; develop and implement a cybersecurity contingency and recovery plan; and conduct a cybersecurity architecture design review.
There’s no doubt that the stakes are high. In fact, on the same day the second directives were announced, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released details of a spearfishing campaign dating back to 2011 and 2013 that targeted oil and natural gas pipeline companies. This goes to show the depth, breadth and longevity of these attacks, and they’re only getting more complex. As such, stakeholders must assess current organizational conditions, identify gaps and how to fill them and set goals or plans to keep network security on-par with requirements and standards. By adhering to and properly implementing the new requirement, pipeline operators will experience improved ROI, organizational performance, and most importantly, better protect our nation’s citizens, infrastructure and data.
Accountability is a valuable lesson for companies across all industries, especially when it comes to cybersecurity. Looking forward, we can expect security requirements for other critical infrastructure to undergo a series of changes, whether under the Biden Administration’s National Security Memorandum or other government-run initiatives.