The rules are designed to spur pipeline companies to bolster their defenses, evaluate their cybersecurity and ensure they can continue to operate even if their business networks are hacked.
A ransomware attack that led Colonial Pipeline to shut down its pipeline for six days in May was “really a wake-up moment” when it came to cybersecurity vulnerabilities in the country’s vast network of pipelines, said Tim Maurer, senior counselor for cybersecurity to Homeland Security Secretary Alejandro Mayorkas. TSA is part of the Department of Homeland Security.
Officials wanted to act quickly to prevent another pipeline from getting hit in a cyberattack that could spiral and lead the public to panic, “making the reaction worse than the impact of the ransomware attack” itself, Maurer said.
The Washington Post obtained a copy of the rules, which were issued in July, through a Freedom of Information Act request. But they haven't been published more broadly and The Post showed them to cybersecurity experts for comment.
Some requirements drew consensus as positive, like developing and regularly testing an incident response plan. The government is also, for the first time, mandating an annual cybersecurity audit from either TSA or an independent inspector to help operators identify weaknesses as soon as possible. Before the directive, such “architectural design reviews” were voluntary.
Overall the requirements are “sound and based on a solid foundation … and set the stage for significant cybersecurity improvements when implemented,” said Marty Edwards, vice president of operational technology security at Tenable and a former DHS official overseeing industrial control system emergency response operations.
Other analysts raised concerns. The rules are vague in some areas, they said. In other areas, they're overly prescriptive, like calling for patching vulnerabilities, according to Dragos CEO Robert M. Lee. And requiring anti-virus scans makes sense on business systems, but they can delete critical files or cause system outages on machines that run the pipes, some experts said.
Industry doesn't love the new rules
Industry groups take issue with the way the regulations were written.
Seven oil and gas industry groups criticized the process in an August letter to TSA Administrator David P. Pekoske. Because it was an emergency directive, there was no requirement that industry be allowed to comment.
Senior DHS officials said they consulted industry in drafting the rules. They said they gave companies three business days to provide feedback and received more than 300 comments. The directive, they noted, contains a provision allowing a company to suggest alternative measures for compliance.
“So far the dialogue we've had with the [pipeline] owners and operators … has been very, very good,” Pekoske said last week at a congressional hearing.
The TSA will “take what we've learned” with regulating pipelines and “apply it more broadly across the transportation sector,” he said.
The directive was labeled “sensitive security information,” which restricted industry from freely sharing and discussing it. Publishing the full document, especially the mitigation measures, would have “meant any potential malicious attacker could have exploited them,” Maurer said.
Some experts said they saw no reason to withhold the rules from the public. Rep. Jim Langevin (D-R.I.), who has been briefed on the rules but not been able to see them, said the regulations are “not only a good thing to do, it’s way overdue.”
But, he said, withholding them is counterproductive and a redacted version would allow experts to weigh in. “Transparency helps,” he said, “not hurts.”
Officials plan to undertake a full rulemaking process with notice and comment periods to craft more permanent regulations when the current rules expire in one year.
Some industry representatives said that's an opportunity. “If we really want to tackle this, we need to be looking at reasonable pipeline cybersecurity regulations,” said Kimberly Denbow, managing director for security and operations of the American Gas Association, which represents more than 200 natural gas energy companies.
She pointed to standards that pipeline companies, government agencies and security firms agreed on in August, noting that they recognize differences between pipelines and have requirements for managing cyber risk. The TSA should incorporate those standards into any follow-on rules, she said.
“It's the most efficient way to put effective pipeline cybersecurity regulations in place,” she said.
The Biden administration will convene 30 countries to discuss ransomware
The meeting will aim to “accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically,” President Biden said in a statement. The announcement comes as the Biden administration approaches the four-month mark since Biden warned Russian President Vladimir Putin about the consequences for ransomware groups hitting the United States' critical infrastructure.
Meanwhile, ransomware attacks continue to hit U.S. businesses and organizations. The 30-nation meeting will be held virtually this month, CNN’s Sean Lyngaas reports.
Law enforcement arrested two suspected ransomware operators in Ukraine
The operation was carried out by French, U.S., Ukrainian and international law enforcement agencies, The Record's Catalin Cimpanu reports. One of the suspects, a 25-year-old, is accused of being an important member of the ransomware operation.
Europol declined to provide details on the group the suspects were affiliated with. But the law enforcement agency said the suspects targeted “large industrial groups in Europe and North America” since April 2020 and were “known for their extortionate ransom demands” — between 5 million euros and 70 million euros. Police say they have seized $375,000 in cash and froze $1.3 million in cryptocurrency.
Maritime transportation sector should revamp cybersecurity, think tank says
The Atlantic Council is calling for a rethink of the way that industry and government secure maritime transportation systems. In a new report, the think tank recommends:
- The White House should “commit to identifying new funding” for DHS to direct to the U.S. Coast Guard for cybersecurity.
- Officials should consider a 20 percent increase in funding for the Coast Guard’s cybersecurity efforts.
- New products in the industry should come with lists of the software that they rely on.
- Cybersecurity should be a main part of maritime insurance policies.
- National Cyber Director chief of staff John Costello speaks at a Center for Strategic and International Studies event today at 9:30 a.m.
- CISA chief of staff Kiersten Todt and FBI Deputy Assistant Director Tonya Ugoretz speak at the two-day Uniting Women in Cyber 2021 event, which begins Tuesday.
- The Center for Democracy and Technology hosts an event on the Patriot Act on Tuesday at noon.
- The R Street Institute hosts an event on diversity in cybersecurity on Tuesday at 1 p.m.
- CISA Director Jen Easterly speaks at a Washington Post Live event on Tuesday at 3 p.m.
- Top U.S. cybersecurity officials speak at the Mandiant Cyber Defense Summit on Tuesday.
- Easterly and others speak on the first day of CISA’s four-week Annual National Cybersecurity Summit on Wednesday.
- Top U.S. officials and lawmakers participate in the Aspen Cyber Summit on Wednesday.
- The Senate Commerce Committee holds a hearing on data security on Wednesday at 10 a.m.
- U.S. cybersecurity officials speak at the U.S. Cyber Challenge Awards Program and Cybersecurity Summit on Wednesday at 1 p.m.
- The Center for Strategic and International Studies hosts an event on sixth-generation network standards on Wednesday at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas, Easterly and other top U.S. government officials speak at the three-day Billington Cybersecurity Summit, which begins Wednesday.
- European cybersecurity officials speak at Kaspersky’s EU Cyberpolicy Forum on Thursday at 5 a.m.
- Silicon Flatirons hosts an event on encryption on Thursday at noon.
- The House Oversight and Reform Committee holds a hearing on the partisan election review in Maricopa County on Thursday at 10 a.m.
- Lawmakers and cybersecurity officials speak at a National Cyber Security Alliance event on Thursday at noon.
Secure log off
Thanks for reading. See you tomorrow.