[BreachExchange] TSA orders pipeline companies to disclose breaches after Colonial hack

[Sophia Kingsbury]

https://www.msn.com/en-us/news/us/tsa-orders-pipeline-companies-to-disclose-breaches-after-colonial-hack/ar-AAKr5PR

Companies that operate pipelines must alert the government whenever they
suffer cyberattacks, the Transportation Security Administration ordered
Thursday, in the Biden administration’s first effort to harden U.S.
critical infrastructure after hackers disrupted the East Coast’s gasoline
supply three weeks ago.

Pipeline operators also must preemptively assess their cybersecurity
postures for weaknesses that could open the door to hackers, according to the
new TSA directive
<https://www.politico.com/f/?id=00000179-ae7e-dfee-a979-ae7e81150000>.

The rule announced Thursday is the first-ever federal cybersecurity
regulation for pipeline companies, which until now have faced only voluntary
TSA guidance
<https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf>,
including the suggestion that they report breaches. It comes as Congress is
debating even more sweeping responses to this month’s disruptive Colonial
Pipeline hack, such as proposals to mandate cyber incident reporting by all
companies that operate critical infrastructure or provide key technology
services.

In addition, some lawmakers of both parties have suggested stripping
oversight of pipeline security from the TSA, an arm of the Department of
Homeland Security whose main duties include preventing terrorist attacks on
commercial airliners.

The cyberattack on Colonial, first disclosed May 7, prompted the
Georgia-based company to shut down the 5,500-mile-long pipeline that
supplies much of the East Coast’s gasoline, diesel and jet fuel, leading to
hoarding and widespread fuel shortages.

“The Colonial Pipeline ransomware attack was a powerful reminder … of why
we need to take this action,” a senior DHS official told reporters during a
Wednesday briefing.

Under the new rule, pipeline operators have 12 hours to report cyber
incidents to DHS’ Cybersecurity and Infrastructure Security Agency, which
is partnering with TSA on pipeline security. These reports must describe
the incident's projected impact, technical details associated with the
intrusion and all current and planned responses. Within 30 days, companies
must also assess how their cybersecurity practices line up with existing
TSA guidance and develop plans to fix any gaps.

TSA will be able to impose daily penalties on companies that do not comply.

Within seven days, operators must also designate primary and alternate
cyber employees to maintain 24/7 communication with TSA and CISA.

TSA plans to issue a second pipeline cyber directive with more significant
requirements
<https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/>
in
the coming weeks, The Washington Post has reported.

“This is step one in the immediate wake of the Colonial Pipeline incident,
to be followed by more,” a senior DHS official said.

The new incident-reporting requirement is meant to ensure that the
government’s cyber defenders understand the nature and scope of digital
attacks as they work to prevent further intrusions. Although Colonial
alerted the FBI after discovering that it had been hit by an extortion
attack known as ransomware, it did not provide technical data to CISA until
several days later. The company also did not inform CISA that it had paid a
multimillion-dollar ransom to regain access to its data.

The new directive does not explicitly require pipeline operators to report
ransomware payments, although such payments could fall under the order's
mandate to report any "responses" to the incident.

The Colonial hack exposed the shortcomings of the federal government’s
current approach to defending critical infrastructure. Few of the 16
infrastructure sectors, which are managed by a cluster of different federal
agencies, face mandatory cyber requirements.

In addition, several of the agencies responsible for overseeing
infrastructure, including the TSA and the Environmental Protection Agency,
have little experience with cybersecurity and devote few resources to
digital threats. In 2018, TSA’s pipeline security arm only had six
full-time employees <https://www.gao.gov/products/gao-19-542t>, and the
agency lacked a plan for ensuring that employees had the requisite cyber
knowledge, according to a report from the Government Accountability Office.

TSA now has enough personnel to enforce the new rule, a senior DHS official
said, and those staffers have received training from CISA and other
government experts. “We are continuing to expand that group,” the official
said.

Through an existing partnership, CISA and TSA have conducted security
reviews of 23 pipeline facilities since October 2020 and plan to conduct
another 29 reviews in the next four months, according to the official.

For years, federal cyber leaders and industry executives have emphasized
cooperation rather than regulation
<https://www.eenews.net/stories/1060055209> as a means of safeguarding
infrastructure from hackers. But many companies — including some that run
the United States’ power plants, water treatment facilities and other vital
infrastructure — either ignore cybersecurity or devote too few resources
and attention to it, creating weak links that can metastasize into bigger
problems.

Biden administration officials have also touted the value of public-private
partnerships and voluntary information sharing, but the Colonial hack
appears to have galvanized the administration to pursue a stricter approach
to protecting a vital part of the country’s energy system.

“Even though we will have more structured oversight … we still look forward
to a very collaborative relationship with the pipeline industry,” one
senior DHS official said.

But, another added, one lesson from the Colonial hack is that “we need to
adopt a more muscular approach.”

Frustration with the voluntary approach has mounted in Congress, too. A
bipartisan group of lawmakers is drafting legislation to require critical
infrastructure companies and major IT service providers to disclose hacks
to the government.

TSA’s new rules are likely to spark intense pushback from the oil sector,
which has opposed new regulations on its members even as evidence has
mounted that voluntary standards are inadequate.

“Any regulations should enhance reciprocal information sharing and
liability protections, as well as build upon our robust existing
public-private coordination to streamline and elevate our efforts to
protect the nation’s critical infrastructure,” Suzanne Lemieux, the
American Petroleum Institute’s manager of operations security and emergency
response, said in a statement after the rule’s release. In mid-May, Lemieux
said regulation was “premature” without “a full understanding” of the
Colonial hack.

While TSA steps up its oversight of pipelines, some policymakers are
questioning whether it is even the right agency to do that work. On the
Hill, leaders of the House Energy and Commerce Committee are pushing for
the Energy Department to take over TSA’s pipeline portfolio
<https://republicans-energycommerce.house.gov/news/pipeline-and-lng-cybersecurity-is-a-job-for-doe-not-tsa/>.
The chair of the House Homeland Security Committee, however, has argued
that TSA has the necessary experience to retain its role
<https://homeland.house.gov/news/press-releases/chairman-thompson-statement-on-new-tsa-security-directive-for-pipeline-cybersecurity->
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210528/8039ac80/attachment.html>