On May 27, 2021, DHS issued new cybersecurity requirements for critical pipeline owners and operators. According to DHS, this Security Directive will “require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.” DHS has stated that they are considering additional mandatory cybersecurity measures for the pipeline industry to enhance its cybersecurity. The Directive also requires pipeline companies to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator who should be available 24/7.
DHS is acting as a result of the recent Colonial Pipeline incident which resulted in gas shortages across the southeastern United States and rising gas prices nationally. This is the first time that DHS has issued a mandatory security directive for the pipeline industry, although there have been voluntary guidelines in place for a while now that are based on the NIST Cybersecurity Framework. Apparently, simply recommending cybersecurity best practices has not been enough to motivate pipeline companies to take it seriously enough.
This announcement comes on the heels of the Biden Administration’s recent EO on Improving the Nation’s Cybersecurity and echoes its sentiments on information sharing between the public and private sector. Initially, companies will have to report cyber incidents to the federal government, but DHS is set to “follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked.”
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
As this month’s cyberattack on Colonial Pipeline and the February attack on a Tampa, Florida water treatment facility shows, just because you are not a major player in the electric utility industry does not mean you won’t be targeted by hackers.
“If you think you are too small or too obscure to be vulnerable, you are mistaken. If someone is going to rob a bank, they’re going to choose the bank with no security guards. Much of a company’s staffing information is now in the public domain because of the big data industry that has emerged over the past decade, so for hackers, identifying small to mid-size critical infrastructure companies with limited security staff is very easy,” said Jim Crowley, CEO of Industrial Defender.
The cybersecurity levels of private sector companies are quickly evolving into a national security issue. If critical infrastructure companies want to avoid a heavy-handed government response to cybersecurity threats, then they are going to have to do a much better job of proactively protecting themselves. Mid-size pipeline companies, and midstream companies in general, are unfortunately behind in cybersecurity maturity when compared with their peers in the energy industry. These new mandatory regulations coming from DHS should encourage the layering of cybersecurity controls, which is also referred to as a “defense in depth” approach. The NIST CSF is a perfect example of this with its Identify, Protect, Detect, Respond and Recover functions. This has been the recommended framework for the oil & gas industry for years now, so it’s time for them to start applying it.
Since most industries probably prefer no cybersecurity regulations, they will need to figure out how to self-regulate to avoid making headlines in the future. With this forthcoming DHS legislation, the government is sending a clear message that any future failures by industry will result in mandatory regulation.
The federal government should also consider funding mechanisms to assist critical infrastructure companies who implement and maintain cyber programs. In the past, the government provided investment tax credits (ITCs) as an incentive for purchase of industrial plants and machinery. Similar ITCs for cybersecurity software and services developed and delivered in the United States would help fund the proper investments to keep the country safe.