July 20—In the wake of the Colonial Pipeline attack, the US Department of Homeland Security has introduced new cyber security requirements for critical US pipeline and infrastructure groups. Officials aim for the requirements to help prevent ransomware and similar threats from infecting systems and inducing devastating real-world consequences.
Organizations that transport hazardous liquids and natural gas are expected to adhere to the new requirements. Instructions around developing cyber security contingency and recovery plans along with cyber security architecture design reviews have been provided.
Department of Homeland Security Secretary, Alejandro Mayorkas, sees cyber security as a critical priority, especially among infrastructure groups.
Initial security directive
Earlier this year, federal officials issued an initial security directive for pipeline companies. Under this imperative, pipeline organizations are expected to report cyber security incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of their occurrence.
Operators of critical pipelines also received instructions around assessing existing cyber security practices and reporting gaps to the TSA and CISA within a 30 day window. Mandates requiring a cyber security coordinator to be available 24/7 in case of an attack also went into effect.
Second security directive
For critical infrastructure groups, security defense measures are musts. Up until late May, US pipeline groups operated under voluntary cyber security guidelines. The new requirements highlight the realities surrounding cyber activities and cyber threats.
Disclosure of classified information
The Biden administration has just revealed that a foreign government compromised US pipeline operators roughly 10 years ago. Although the information is dated, the disclosure reinforces the salience of the Biden administration’s decision to issue a second infrastructure security directive.
Between 2011 and 2013, state-sponsored cyber criminals compromised more than 20 US pipeline companies. The extent of the intrusions and the data collected, exfiltrated, observed or sold remains unknown.