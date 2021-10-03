The requirements, which the government has not made public, lay out what the Transportation Security Administration calls “urgently needed” steps to protect national security and shield Americans from the effects of cyberattacks on the nation’s 100 most critical natural gas and liquid pipelines. The Washington Post obtained a copy of the emergency rules, called a “security directive,” under a Freedom of Information Act request. Specific mitigation measures were redacted, along with some deadlines, but most of the rest of the document was not.
The rules are designed to spur pipeline companies to bolster their defenses, evaluate their cybersecurity and ensure they can continue to operate even if their business networks are hacked.
The ransomware attack that led Colonial to shut down its pipeline for six days in May was “really a wake-up moment” when it came to cybersecurity vulnerabilities in the country’s vast network of pipelines, said Tim Maurer, senior counselor for cybersecurity to Homeland Security Secretary Alejandro Mayorkas. TSA is part of the Department of Homeland Security.
Officials felt an urgency to act quickly to prevent the pipeline sector from falling victim to another cyber attack that could quickly spiral and lead the public to panic, “making the reaction worse than the impact of the ransomware attack” itself, Maurer said.
The resulting regulation — the first such mandatory cybersecurity rules on a critical industry in years — “is not only a good thing to do, it’s way overdue,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, who has been briefed on the rules but not been able to see them.
However, he said, withholding them from the public is counterproductive. Even a redacted version would be useful so that experts could weigh in on their merits.
“Transparency helps,” he said, “not hurts.”
The Post asked a number of independent industrial cybersecurity experts to assess the rules, and sought comment from industry. Reaction was mixed.
Some requirements drew consensus as positive, such as developing an incident response plan and regularly testing it to assess how well it works. And for the first time, the government is mandating an annual cybersecurity audit from either TSA or an independent inspector to help operators identify weaknesses as soon as possible.
Before the directive, such “architectural design reviews” were voluntary. In the year leading up to its hack, Colonial discussed getting such an evaluation three times. It finally had one in late July, according to a Colonial spokeswoman.
Overall the requirements are “sound and based on a solid foundation . . . and set the stage for significant cybersecurity improvements when implemented,” said Marty Edwards, vice president of operational technology security at Tenable and a former Department of Homeland Security official overseeing industrial control system emergency response operations.
But a number of other analysts raised concerns with the directive’s approach to implementation. The rules are vague in some areas, they said. For instance, it is not clear whether a large corporation with industrial and business systems will have to comply with the rules for all its networks or just those related to its pipelines, they said.
They are overly prescriptive in other areas, such as calling for patching vulnerabilities, when it would be more effective to identify the desired outcome of mitigating flaws and let the operator determine how best to do so, said Robert M. Lee, chief executive of the industrial cybersecurity firm Dragos. Patching is one solution, but so is system monitoring and allowing on a network only approved applications.
“When you’re dealing with an operational technology system, sometimes a patch doesn’t reduce the risk or even fix the vulnerability,” Lee said. “And going down to the field in the middle of winter to take down a system to patch it can backfire. We’ve seen more accidental shutdowns from well-intentioned operators patching systems than were caused by attacks from Russia and Iran combined.”
Also, requiring anti-virus scans makes sense on business systems, but on machines that actually run the pipes, they may in some cases delete critical files or cause outages, some experts said.
The federal government last imposed cybersecurity regulations on a critical industry in 2008 — on the bulk electric power sector. Over the years the rules have improved, and some experts said TSA should apply that experience to pipeline regulation.
“There are a ton of lessons learned from almost two decades of experience in other critical infrastructure sectors,” said Tim Conway, technical director of industrial control system programs at the SANS Institute, a cybersecurity training organization.
“They really need to engage the industry in the development of the requirements and make the process more transparent. That will address issues moving forward.”
Seven oil and gas industry groups sent TSA Administrator David P. Pekoske a strongly worded letter in August criticizing the way the regulation was put together. “Open communication, process transparency and timely engagement with the industry have been hallmarks of the TSA pipeline security program,” they said. Such engagement was “not fully realized” in creating the emergency directive, which unlike a traditional rulemaking process, did not require seeking industry comment.
Senior DHS officials said they consulted industry in drafting the rules. They said they gave companies three business days to provide feedback. “We received over 300 comments,” Maurer said.
The directive, they noted, contains a provision allowing a company to suggest alternative measures for compliance.
“So far the dialogue we’ve had with the [pipeline] owners and operators . . . has been very, very good,” Pekoske said at a Congressional hearing on Wednesday.
He added that TSA would “take what we’ve learned” with regulating pipelines and “apply it more broadly across the transportation sector.”
The directive was labeled “sensitive security information,” which restricted industry from freely sharing and discussing it. Publishing the full document before the deadline to implement the fixes, especially those related to mitigation measures, would have “meant any potential malicious attacker could have exploited them,” Maurer said.
Some experts said they saw no reason to withhold the rules. The 2008 cyber regulations for bulk power companies included mitigation measures, and the vast majority of those rules have always been public, said Tim Roxey, a former chief security officer of the North American Electric Reliability Corporation, a nonprofit body that wrote the requirements in consultation with the power sector.
The July directive was intended as a stopgap. Officials plan to undertake a full rulemaking process with notice and comment periods to craft more permanent regulations when the rules expires in one year.
Some industry representatives said that’s an opportunity. “If we really want to tackle this, we need to be looking at reasonable pipeline cybersecurity regulations,” said Kimberly Denbow, managing director for security and operations of the American Gas Association, which represents more than 200 natural gas energy companies.
In August, a group of pipeline companies, government agencies and security firms agreed on a set of standards to enhance pipeline cybersecurity, she noted. They were written in a way that recognized the differences between the way natural gas and liquid pipelines operate, while creating requirements for managing cyber-risk, she said. TSA should incorporate those standards into any follow-on rules, she said. “It’s the most efficient way to put effective pipeline cybersecurity regulations in place,” she said.