The Colonial Pipeline ransomware attack has prompted the Department of Homeland Security (DHS) to begin regulating cybersecurity in the pipeline industry.

The attack pushed gas prices higher and disrupted supply in the eastern United States. According to Bloomberg, Colonial Pipeline paid nearly $5 million in ransom to the Darkside ransomware group.

The attack highlighted the vulnerability of critical infrastructure.

The DHS sent us the following statement:

“The Biden Administration is taking further action to better secure our nation’s critical infrastructure. Transportation Security Administration (TSA), in close collaboration with [the] Cybersecurity and Infrastructure Security Agency (CISA), is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead.”

According to the Washington Post, the TSA’s new security directive will require pipeline industry companies to report cyber incidents to TSA and CISA. They also must have a cyber official with a 24/7 direct line to TSA and CISA to report an attack.

Moreover, companies have to assess the security of their systems as measured against existing cyber guidelines. Fixing any gaps has been voluntary until now.

Companies must correct any problems and address shortcomings or face financial penalties.

Before this, the TSA has relied on collaboration rather than mandatory requirements on pipeline industry companies.

Positive Impact Expected

Tyler Shields is JupiterOne‘s CMO.

JuipiterOne’s Tyler Shields

“It is always significant when a government group or organization puts out new regulations or mandates,” he said. “The efficacy of the regulation typically comes down to … does the regulation have teeth.”

This particular regulation should have a positive impact on security at pipeline companies, Shields said. That’s due to the downside of failure being both financially and brand significant.

“Government fines and other damages are a strong incentive for security improvement,” he said.

Joseph Neumann is cyber executive advisor at Coalfire. He said regulations have never helped a company improve its security. Only requiring the reporting of incidents doesn’t help the industry or anyone, he said.

Coalfire’s Joseph Neumann

“If any regulations were to be passed down, mandatory external audits and security assessments are really the only way to get these companies to improve their overall security,” Neumann said.

Power generation sectors frequently lag behind in security, with aging infrastructure and legacy systems in place for decades, he said.

Moreover, blending corporate and operational technology networks has created a “nasty opportunity for bad things to occur,” Neumann said.

Comprehensive Long-Term Plan Needed

The administration needs to work with Congress to develop a comprehensive long-term plan that involves partnerships, Neumann said.

“The federal government itself is struggling to keep its systems secure as seen from the recent SolarWinds breaches and rush mitigations pushed down by the DHS,” Neumann said. “Everyone needs to be rowing the boat in the same direction to tackle this global problem of ransomware and cybercriminals.”

Monti Knode is director of customer and partner success at Horizon3.AI.

“Unless the federal government is appointing a new regulatory lead or new enforcement mechanisms, this regulation already exists, specifically for oil or gas refineries as defined within Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act,” he said. “Reporting is one aspect. And they may even be exempt from public disclosure. But what we need is clear guidance related to ransomware and extortion, and how much decision space private industry retains when they are considered covered critical infrastructure.”

John Bambenek is threat intelligence advisor at Netenrich.

“As we have seen, pipelines are critical infrastructure that can lead to real problems if they are disrupted,” he said. “Notification to the federal government of cyberattacks is less significant than whatever protective regulations they issue. But the facts are we have thousands of pages of policies, regulations and studies on security for the federal government and they still get breached. A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing the future incidents.”