“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Mayorkas said in a statement announcing the new rules.
In May, the Colonial Pipeline was knocked offline after a brazen ransomware attack, setting off days of panic buying at gas stations in several states. The network, which supplies the East Coast with 45 percent of its fuel, was taken down after a hacker group known as DarkSide infiltrated the Georgia-based company’s servers and encrypted its data, demanding a ransom to restore access. Cybersecurity experts described the incident as the biggest known cyberattack on U.S. energy infrastructure.
The TSA announcement comes as the DHS and the FBI disclosed for the first time that Chinese state-sponsored hackers targeted 23 U.S. natural gas pipeline operators from 2011 to 2013. The newly declassified phishing campaign successfully compromised systems on at least 13 of them, according to the advisory.
The attacks highlight the myriad ways cybercriminals can strangle economies and disrupt daily life. The Biden administration pledged a “whole-of-government response” to protect the United States from ransomware attacks in response to the Colonial hack.
Tuesday’s directive, along with one from late May, adds the TSA to a patchwork of federal agencies engaged in pipeline cybersecurity issues, including DHS’s Cybersecurity and Infrastructure Security Agency, the Energy Department and the Coast Guard. The FBI recently set up a task force to go after cybercriminals.
The TSA announcement provides few details on the order or how it will be enforced, as much of it is classified to prevent hackers from learning too much about pipeline operators’ cyberdefenses. It’s unclear whether the directive will include penalties for companies that fail to meet its standards.
According to the announcement, pipeline owners are now required to implement specific, though unspecified, safeguards against ransomware attacks. The measures cover the IT systems commonly targeted by cybercriminals as well as physical systems that control the flow of fuel. The directive also requires pipeline operators to review their IT infrastructure and develop plans for how to respond to a hack.
Industry groups are likely to oppose the regulations. Williams and Jensen, a law firm that lobbies for Colonial Pipeline, upped its lobbying income from $30,000 to $150,000 in the most recent quarter, according to the company’s Senate lobbying disclosure. The firm lobbied on cybersecurity issues and also worked to “provide information regarding the May 7th ransomware attack,” according to the disclosure.
The American Public Gas Association, a trade group, called an earlier draft of the TSA’s rules too vague and argued that pipeline operators will need more time to implement them.
In a June 18 letter obtained by The Washington Post, APGA president and CEO Dave Schryver said many natural gas companies have to rely on utility boards or local governments for budget approval, something that can delay possible upgrades.
“Technology upgrades to ensure secure infrastructure are considered when appropriate, but this requires significant time and conversation years in advance of execution,” Schryver wrote in response to an earlier draft of the regulations.
For example, Schryver said, it would be impossible to deploy multi-factor authentication across all of a company’s physical IT systems within 90 days. He called several of the TSA’s requirements “unreasonable.”
Ron Gula, the founder of Tenable Network Security, said Tuesday’s directive was “a positive step, but nebulous at best.” The lack of detail provided by the TSA, he noted, could give pipeline executives too much leeway to interpret the regulations according to their companies’ interests.
“The lack of detail is the most concerning for me here,” Gula said. “It will leave interpretation of these broad recommendations up to boards and executives who are not cybersecurity experts.”
David Holtzman, a private cybersecurity expert who studies critical infrastructure, said the TSA directive is not broad enough and does too little to punish noncompliance. He also said he thought it was based too closely on the Colonial Pipeline incident.
“Like TSA making people take off their shoes in the security line, [the security directive] appears highly targeted and backward-looking, not proactive enough to forestall future threats,” Holtzman said.
The measure in and of itself is not a silver bullet, said one U.S. official, who spoke on the condition of anonymity to discuss regulation that is not public. However, the official said, implementing regulation through a security directive as opposed to a traditional rulemaking with public notice and a comment period is “tricky” because the agency must justify it as “immediately needed to protect the security of the sector” or risk litigation.
“It’s as good and robust and forward-leaning as it could be given the instrument [the agency is] working with,” the official said.
Sen. Angus King (I-Maine) called the directive “a needed step that risks falling short based on the level of threat we face.” He said the government also needs to identify other sectors where critical infrastructure might be vulnerable to hackers.
“We have to identify the most systemically important critical infrastructure — across numerous sectors — and ensure we have established an effective public-private collaboration with the federal government,” King said.
Ellen Nakashima, Aaron Schaffer, Lori Aratani and Joe Marks contributed to this report.