Colonial Pipeline ransomware attack prompts first cybersecurity mandates for nation's pipelines

The Biden administration will mandate cybersecurity regulations for the nation's leading pipeline companies, officials announced Wednesday, following a massive computer hack that prompted a pipeline transporting nearly half of the East Coast's fuel supply to shutter for 11 days. Previously, voluntary guidelines were given to industry leaders.

The new security directive issued by the Department of Homeland Security (DHS) will require pipeline companies to report cyber incidents to federal authorities, senior DHS officials said, and comes in the wake of a series of ransomware attacks highlighting cyber vulnerabilities to critical infrastructure. Earlier this month, a ransomware attack targeting Colonial Pipeline caused gasoline shortages and panic buying in more than a dozen states and the nation's capital. The shutdown threatened to disrupt airplane travel and mass transit and resulted in a $4.4 million ransom payment to foreign hackers, according to the pipeline's CEO.

Senior DHS officials told reporters this week that "the Colonial Pipeline incident and the broader range of ransomware attacks in the past several months have created a public consciousness of cybersecurity threats that arguably we haven't seen in the past decade," transcending the routine labeling of cyber attacks as purely nation-state driven activity.  

"Ransomware, which is primarily criminal and profit-driven, can rise to the level of posing a national security risk and disrupt national critical functions," a senior DHS official said. In the wake of the Colonial Pipeline attack, the White House has launched a new strategy to tackle the growing threat to critical infrastructure beyond the isolated efforts of DHS and the Justice Department.

Since the federal government regrouping that took place post-September 11, 2001, the Transportation Security Administration (TSA) has controlled pipeline security, taking over for the Department of Transportation (DOT.) And while DOT still oversees the operation of pipelines, TSA has been tasked with protecting them against terrorist attacks and external threats since 2002. In 2011, the agency issued its first set of cyber-related guidelines, later updating them in 2018.

Image showing the Colonial Pipeline Houston Station facility in Pasadena, Texas (East of Houston) taken on May 10, 2021. FRANCOIS PICARD/AFP via Getty Images

TSA's new directive will require pipeline owners and operators to designate "a 24/7, always available cybersecurity coordinator" – like a chief security officer – to coordinate with both TSA and the Cybersecurity and Infrastructure Security Agency (CISA) in the event of a cyber incident, senior DHS officials said.

Critical pipeline companies must also within 30 days "take steps to do an assessment as to how their current practices lineup" against current pipeline guidelines issued by TSA. According to the officials, companies must "identify any gaps" and establish a timeline for remedying possible flaws, a process that was historically voluntary.

The security directive is part of a larger "strategic plan" by DHS to protect against future cyber incidents like the Colonial Pipeline attack, according to senior agency officials.

"This is step one of a phased approach and we expect that you will see in the not-too-distant future that this will be followed up with an additional set of rules that require a range of actions to be taken by the sector," a DHS senior official said. Yet details on future action remain sparse.

Senior DHS officials remarked they were "very cautious" about releasing company information on cyberattacks to the public, but suggested CISA might publish an "aggregated analysis of vulnerability and risk trends" for the pipeline sector industry" in the future.

Companies that fail to comply with the TSA directive will be subject to financial penalties imposed on a daily basis, resulting in compounded costs, one senior DHS official said.

A note posted at a gas pump indicates the pump is out of premium gasoline at a Costco Warehouse fuel station on May 11, 2021, in Ridgeland, Mississippi. Rogelio V. Solis / AP

Senior DHS officials estimate there are approximately 100 critical pipeline companies that fall under TSA's new directive. "Those pipeline companies are aware of their critical status, and they have been covered by the pipeline security guidelines, as many other pipeline companies have been as well," an official added.  

The TSA division responsible for securing the nation's 2.7 million miles of pipeline had just five full-time employees in 2019, none with cybersecurity expertise, according to a TSA official. "We have [no employees] that have specific cybersecurity expertise," Sonya Proctor, director of the Surface Division for the Office of Security Policy and Industry Engagement at TSA, told lawmakers at a February 26 House Homeland Security Committee hearing. "They do have pipeline expertise, but not cybersecurity expertise."

That has since changed. DHS officials told CBS News that "[TSA] does have trained staff in place now for pipeline security both on the cybersecurity side and on the physical security side." A senior DHS officials said the agency's cybersecurity group "received extensive training from Idaho National Laboratory, along with some additional training from CISA." 

TSA has committed to conducting 52 pipeline assessments in fiscal year 2021. To date, they've conducted 23.

A slew of critical infrastructure sectors — including dams, public health and agriculture — still do not impose mandatory cyber standards. Lawmaker efforts to institute mandatory cyber requirements dictated by Congress failed nearly a decade ago in the face of strong industry dissent.

For weeks, the Biden administration and lawmakers have voiced concerns about a lack of strict cybersecurity regulations for gas and oil pipeline operators, reigniting the debate for greater company accountable in securing U.S. infrastructure against cyber threats.

And while Homeland Security's new proposal may earn praise from cybersecurity advocates and members of Congress clamoring for action, the TSA regulation is likely to raise questions about the Department of Energy's lack of authority over the nation's energy companies.

Those leading the new security directive, however, remain optimistic that it will not damage the decades-old public-private partnership within the pipeline security sector. 

"Even though we will have more structured oversight, in the form of a security directive and other measures to come in the future, we still look forward to a very collaborative relationship with the pipeline industry," a senior DHS official said. "Just because we have a security directive does not mean that we won't continue to collaborate with them." 

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.