Last spring, a ransomware attack forced Colonial Pipeline to shut down. The weeklong recovery disrupted retail gas delivery throughout the Southeastern US. The Colonial Pipeline composes only a fraction of the more than 230,000 miles of pipeline across the US carrying hazardous liquid and carbon dioxide. The incident spurred the Transportation Security Administration (TSA) to hastily impose new cybersecurity rules for the pipeline industry. Some rules were voluntary, but others were very specific and onerous, such as the need to report cyber intrusions to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of a cybersecurity incident being identified. In addition to overly prescriptive requirements, TSA did not initially release the entire set of rules publicly. Instead, they were shared with just a select number of industry representatives. This lack of transparency further contributed to the backlash from oil and gas companies, industry experts, and associated trade groups who wanted more collaboration.
TSA has now relaxed those rules based on concerns from pipeline companies and industry experts. TSA revised its initial guidelines and reissued the security directive with more input from stakeholders. TSA wisely shifted its approach by describing specific outcomes that must be achieved, such as preventing unauthorized access to critical systems, but leaves the “how” up to individual pipeline owners and operators. Pipeline companies now have more flexibility to determine the optimal implementation to meet these new regulatory requirements.
The willingness of the TSA to adjust requirements based on industry feedback is welcome, but the days of nonexistent or mostly voluntary cybersecurity regulations for critical infrastructure are ending. The US government is imposing more regulations to increase transparency of cyber incidents to protect the nation’s critical infrastructure. All critical infrastructure industries, not just pipelines, are being scrutinized with new and pending regulations such as:
- A requirement to report any ransomware payment within 24 hours to the CISA in the Strengthening American Cybersecurity Act.
- The proposed Energy Product Reliability Act calling for cybersecurity standards for the availability of energy products.
Concerns over compliance burdens, penalties, and infrastructure compatibility are valid and must be juxtaposed against the increase in critical infrastructure attacks and the longer lead time needed to update or patch operational technology (OT) environments. Because the consequences are higher in critical infrastructure incidents, these industries should anticipate being held to higher regulatory standards.
Follow these three steps to build an OT strategy:
- Gain accurate asset visibility of your network. You cannot protect what you don’t know you have. Armed with this inventory, segment your network to protect vulnerable assets and develop a cybersecurity roadmap to strengthen operational activities like monitoring and patching. Leverage security solutions tailored to the unique characteristics of OT environments. Build attestation features into your program. You need to prove these cybersecurity controls are working properly to demonstrate compliance.
- Develop cyber incident response procedures, and weave regular exercises into your existing safety programs. Practice, practice, practice. Become as proficient responding to cyber disruptions as you are to weather related outages. Hardening OT environments will take time, so you must be prepared to react and recover from cyber attacks. Obtaining an incident retainer with a trusted partner that specializes in responding to OT cyber incidents is a best practice regardless of your in-house capabilities. A crucial element of your incident response plan must include processes for timely reporting of cyber incidents, as this requirement will surely be included in future regulations.
- Get involved or stay active in public/private partnerships. Collaborate with your colleagues and partners to bring a unified voice to the regulators. As the TSA demonstrated, it’s willing to find equitable solutions, but it needs your input to do so.
Don’t wait until regulations become final. Focus on getting the fundamentals right; don’t worry about the specifics of impending legislation. Consistency in cybersecurity requirements across government entities is unlikely given the fragmented nature of government agencies and the diversity of critical infrastructure industries. If you address the foundational elements of sound cybersecurity hygiene instead of chasing specific requirements, you will be positioned to handle new regulatory requirements and able to improve your cyber resiliency.
Where To Find More Information
You can find the complete text of the pipeline security directives here:
- Security Directive Pipeline 2021-01B: Enhancing Pipeline Cybersecurity
- Security Directive Pipeline 2021-02C: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing