New DHS directive will require critical pipelines to comply with federal cybersecurity measures

The Department of Homeland Security on Thursday will mandate that critical pipeline operators comply with several cybersecurity measures, insluitend reporting cybersecurity incidents to the department within 12 ure, according to DHS officials.

In die nasleep van die debilitating ransomware attack earlier this month on Colonial Pipeline, which operates a major fuel pipeline, department officials rushed to enact measures that they believe will better secure the industry as a whole and help identify and prevent cyberattacks.
Under a forthcoming Transportation Security Administration security directive, these pipeline companies will be required to report both confirmed and potential incidents to DHScybersecurity branch.
    Pipeline owners and operators will also be required to designate a “24/7, always availablecybersecurity coordinator who can respond to incidents and coordinate with TSA and the department’s Cybersecurity and Infrastructure Security Agency, a DHS official said during a news briefing.
      Binne 30 dae, these companies must also complete and assess how their practices line up with TSA’s long-standing pipeline guidance, identify any gaps and propose plans to remedy those gaps.
        Op Dinsdag, CNN reported plans to require pipeline companies to report cyberattacks to the federal government, a shift from the current system of voluntary reporting, according to a source familiar with the plans.
        TSA is responsible for transportation security, including hazardous material and pipeline security, en het riglyne in place for the industry. Egter, this will be the first time that the critical pipeline sector has been mandated to report cybersecurity incidents.
          The directive will apply to around 100 companies considered to have the most critical pipelines in the United States, a DHS official said. The companies are aware of their critical status and are familiar with the existing pipeline security guidelines, volgens die amptenaar.
          In response to the cyberattack, Colonial Pipeline halted operations, leading to a run on gasoline and panic buying. After the incident, Biden administration officials privately voiced frustration with what they saw as Colonial Pipeline’s weak security protocols and a lack of preparation, CNN het vroeër berig.
          The incident highlighted that ransomware, which is primarily a criminal, profit-driven enterprise, “can rise to the level of posing a national security risk and disrupt national critical functions,” a DHS official said.
          The total paid by ransomware victims increased by more than 300% in 2020, reaching nearly $ 350 miljoen, volgens a report from the Ransomware Task Force, which is made up of experts from the industry, government agencies and academic institutions.
          There are financial penalties associated with failure to comply with security directives, a DHS official said, which can be imposed on a daily basis, so “they can ramp up pretty significantly over time.
          The fine range starts around $ 7,000 and depends on the specific violation, het die amptenaar bygevoeg.
          In response to the ransomware attack, a Colonial spokesperson previously said the companyproactively took certain systems offline to contain the threat,” which temporarily halted all pipeline operations that affected some of the IT systems.
          According to a DHS official, the Colonial incident showed that even when only the IT system is impacted, and not the operational technology systems, it canlead to significant disruption.
          Verlede week, Colonial Pipeline CEO Joseph Blount admitted he had authorized a ransom payment van $ 4.4 million in response to the cyberattack on the company’s network, noem dit “a highly controversial decisionin an interview with the Wall Street Journal.
          While recognizing thedifficult choicefor companies, the US government strongly discourages paying ransom, because there is no assurance of getting your decrypted data back and paying ransom further fuels the epidemic of criminal activity, a DHS official said about ransomware attacks in general during the news briefing.
          The industrywas bracing for a more burdensome set of cyber standards,” former DHS Assistant Secretary for Infrastructure Protection Brian Harrell told CNN.
          I applaud TSA for seeking the cyber subject matter expertise at CISA. Dit, combined with the surface infrastructure knowledge of TSA, could lead to a successful compliance regime. I believe everyone is still interested in understanding what pipelines are in scope, and if TSA has the proper risk analysis in place. Regardless, Congress needs to fund this effort and TSA needs to hire additional stafflike yesterday,” hy het gesê.
          The Cybersecurity and Infrastructure Security Agency doesn’t plan to release compliance information on specific pipelines, because of potential security risks, but the new requirements will allow the agency to produce better aggregate analysis of vulnerability and risk in the pipeline sector, according to DHS officials.
          One official emphasized that the security directive is the first step, to befollowed by more,” but did not provide specific details about future plans. Another official said the department is thinking through how this security directive might serve as a model for the agencies involved and a potential future regulatory approach, adding that they want to avoid acheck-the-box kind of compliance regime.
          TSA is currently staffed at a level in the pipeline security sections to be able to respond to the issues that will be covered by this security directive and the future actions that TSA will be taking, another DHS official said.
            But the official said the agency is continuing to expand its cybersecurity group within the pipeline team, to be able to carry out additional cybersecurity assessments on pipeline facilities.
            TSA has committed to conducting 52 cybersecurity assessments, called avalidated architecture design review,” in partnership with the Cybersecurity and Infrastructure Security Agency, hierdie boekjaar.

            Kommentaar gesluit.