On the heels of the Executive Order on Improving the Nation’s Cybersecurity signed by the President after a ransomware attack forced the shutdown of Colonial Pipeline, the Department of Homeland Security’s Transportation Security Administration (TSA), the agency responsible for overseeing pipeline security, on May 27, 2021, has announced its own Security Directive of new cybersecurity requirements for critical pipeline owners and operators. (The question of why, up until this Security Directive, pipelines only had security recommendations, not requirements, is a topic for another blog.)
Now that the dust has settled a little around the Colonial Pipeline ransomware attack, it’s time to get real regarding something really important about the Executive Order and the TSA Security Directive that you might be missing: risk. While the two new regulations are a great first step in highlighting the importance of cybersecurity and the necessity of regulatory requirements — and that’s a very good thing — to prevent another Colonial Pipeline event, here’s what else we should be considering.
Critical Infrastructure’s Systemic Risk Is The Private Sector
Despite being the largest US refined products pipeline system, Colonial Pipeline is a privately owned subcontractor, not a federal entity, and that’s more common for critical infrastructure than you might think. The private sector owns a whopping 85 percent of the nation’s critical infrastructure and key resources. Unlike electrical utilities, the pipeline industry is not subject to mandatory cybersecurity standards, and that creates an unbalanced equation for risk. Without accountability and oversight of cybersecurity, the private sector becomes a huge systemic risk (in the form of third-party risk) for critical infrastructure — that is, external events outside of its control but that have huge impact on reliability, integrity, and trust of customers.
Voluntary Regulatory Compliance Is An Oxymoron
It’s one thing to have regulations, standards, and frameworks; it’s quite another to mandate compliance. There are a few self-policing industries that have been successful as “self-regulating” and have extensive programs with independent boards and committees and governing bodies and rules. For instance, the law industry has stayed clear of regulation by creating and supporting the American Bar Association. The medical industry is equally successful at self-governing with the American Medical Association. Critical infrastructure is not one of those industries. Both oil and natural gas pipelines are regulated by the TSA and fall under the Cybersecurity and Infrastructure Security Agency’s (CISA) authority. In February 2021, the CISA published the Pipeline Cybersecurity Resources Library, described as a set of free, voluntary resources to strengthen cybersecurity posture. Creating regulations without mandating companies such as Colonial Pipeline to comply feels like letting the wolf guard the henhouse. Until cybersecurity becomes a mandate, responsibility and accountability will continue to be inconsistent at best, nonexistent at worse.
The Security Directive Goes Bold In Some Areas But Doesn’t Go Far Enough In Others
First, the good news — the Security Directive takes the bold leap of requiring pipeline owners and operators to:
- Report confirmed and potential cybersecurity incidents to the CISA.
- Designate a cybersecurity coordinator for the company to be available 24 hours a day, seven days a week.
- Review their current cybersecurity practices and identify and report gaps and proposed remediation plans to both the TSA and CISA within 30 days.
Considering pipelines have been operating in a state of regulatory-ish self-governance, these three requirements are likely to at least get the cybersecurity ball rolling, so long as the requirements are followed up with consistent oversight.
Now for the not-so-great news: Anyone looking for loopholes in the Security Directive will easily find several. First, there’s no mention of the responsibility, seniority, or level of authority for the “cybersecurity coordinator” role, only that they’re on-call 24/7. It’s worth mentioning that a main recommendation from a 2018 tech audit of Colonial Pipeline was for the company to hire a chief information security officer (CISO), a position considered essential for any critical infrastructure company. Instead, Colonial assigned CISO responsibilities to a subordinate of the CIO, and we know how that played out. Next, it’s unclear whether the review of cybersecurity practices should be done as a self-assessment or an external audit and whether the 30-day time frame starts on May 27, the day the Security Directive was announced, or from the date the review is completed. Noticeably missing is the reference to a framework such as IEC 62443 or NIST SP 800-82 against which to assess, which leaves the door open to multiple interpretations and lacks prescriptive guidance at a time when it’s most needed.
The fact that it took a ransomware attack of the largest fuel pipeline in the US to demonstrate the criticality of pipeline cybersecurity on homeland security is absurd and validates the quote attributed to John W. Bergman: “There’s never enough time to do it right, but there’s always enough time to do it over.” Luckily, the TSA is considering additional, follow-on mandatory measures that will further support the pipeline industry in enhancing cybersecurity.