Recently, the Department of Homeland Security (DHS) issued a directive that our Nation’s pipelines are now required to report both potential and confirmed cybersecurity incidents to the Department’s Cybersecurity and Infrastructure Security Agency (CISA). The directive further mandates that pipelines designate a cybersecurity coordinator that is available 24/7/365 days per year as a point-of-contact (POC) to report cyber-attacks.
Another part of the directive mandates pipeline owners and operators review their current cybersecurity practices and procedures. Identified gaps, along with remediation measures needed to mitigate found risks, must be reported to both the DHS’s Transportation Security Administration (TSA) and CISA within 30 days. Under the new directive, pipeline operators through their POC are required to report cybersecurity incidents within 12 hours. Failure to report such attacks could result in fines of $7,000 per day or more.
Colonial Pipeline Exposed Vulnerability
Because of the nefarious Dark Sides’ ransomware attack on Colonial Pipeline’s computer network recently, and the resulting disruptive shutdown of the 5,500-mile pipeline for most of a week, the DHS has determined that pipelines are part of America’s critical infrastructure, and their cybersecurity must be taken to a higher level to negate future hacking.
That shutdown was the most disruptive to date in the United States by preventing millions of gallons of gasoline, diesel fuel, and jet fuel from flowing from Colonial’s source in Texas East and all up and down the East Coast. The shutdown and resulting lack of fuel resulted in fuel hoarding and shortages, thus increasing the price at the pumps where fuel was available. It also pointed out just how vulnerable we are to cybersecurity attacks in this industry (and other critical infrastructure). The DoD is already in the process of addressing its cyberattack vulnerability with its implementation of its CMMC program.
Before the pipeline directive, the TSA had provided voluntary cybersecurity guidelines for pipelines to follow. Unlike power plants, the pipeline industry and other utilities have not been required to follow any cybersecurity mandates … up to now.
Voluntary Meant Not Done
Because the measures have been voluntary in the past, and following them would increase operating costs, pipelines have not implemented the TSA’s recommended cybersecurity measures to the levels recommended; some not at all. Now, it looks like the TSA will be forcing mandated measures to enhance the cybersecurity of this industry. Doing so raises several questions:
- What will these mandatory measures look like?
- Will they be modeled, if not at least in part, off the DoD’s CMMC model?
- Will all pipelines be held to the same cybersecurity levels whereas the CMMC has five levels?
- Will there be different levels of compliance based on criticalness they serve in the industry – much like is found in the CMMC program?
- Will the costs of these additional requirements impact the price of fuels, or will they be reimbursable by the government?
These questions (and more) will be addressed in the future as the program matures.
In a recent statement from the Secretary of Homeland Security, Alejandro Mayorkas, he addressed the need for the new mandates by saying: “The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats”.
Officials noted the new forthcoming security mandate for pipelines could serve as a model for other utilities and industries as a whole. Will the new model be modeled off of the DoD’s CMMC program? Only time will tell.