Pipelines transport a wide range of hazardous liquids, fuel, and natural gas, making them an integral component of critical infrastructure.
The U.S. pipeline industry is still dealing with the fallout of the Colonial Pipeline ransomware incident from earlier this year that disrupted operations of one of the largest pipelines in the country.
Today, the Department of Homeland Security (DHS) issued its second security directive to pipeline operators, requiring them to implement more protections against cyber threats.
Second cybersecurity directive for pipelines
The new order builds on top of the first cybersecurity directive from May, which requires pipelines to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), among other things.
There are three main components to the new directive, requiring owners and operators to:
- "Implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems;"
- "Develop and implement a cybersecurity contingency and recovery plan;"
- "Conduct a cybersecurity architecture design review."
DHS says this applies to TSA-designated critical pipelines.
Homeland Security Secretary Alejandro Mayorkas explains the motivations in this case:
"Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security.
Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience."
And according to many experts, cybersecurity resilience has been lacking in the pipeline industry.
Here is what Richard Glick, Chairman of the Federal Energy Regulatory Commission, said immediately after the Colonial attack:
"For over a decade, the Federal Energy Regulatory Commission (FERC), in coordination with the North American Electric Reliability Corporation, has established and enforced mandatory cybersecurity standards for the bulk electric system. However, there are no comparable mandatory standards for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States.
It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector. Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend."
[RELATED: Oil and Natural Gas Cyber Threats podcast]
