The Department of Homeland Security has issued a cybersecurity directive that requires the operators of oil and gas pipelines to report ransomware attacks and other security incidents to the government. The new cybersecurity mandates, which will replace some voluntary guidelines that had been in place for a decade, were announced Thursday in the wake of a 07 May 2021 ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline serving the East Coast, triggering fuel shortages in several states.
The security directive, which will be enforced by the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency, requires companies that own or operate oil and gas pipelines to report any security incidents, as well as potential threats, to DHS. It also requires the firms to have a dedicated "cybersecurity coordinator" available around the clock.
The directive also requires pipeline owners and operators to review their cybersecurity practices, identify any gaps and required risk remediation measures, and report the results to TSA and CISA within 30 days.
TSA says it is considering releasing several other directives for oil and gas pipeline operators. "The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security," says Homeland Security Secretary Alejandro Mayorkas. "DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure."
The security directive comes as the pipeline industry is facing increasing scrutiny. The directive does away with many of the voluntary cybersecurity reporting guidelines TSA put in place in 2010. The Wall Street Journal recently reported that Colonial Pipeline did not undergo a review of its security practices in 2020 as requested by TSA.
Since 2018, the U.S. Government Accountability Office has accused TSA of lax oversight of the nation's interstate pipeline systems. TSA took on responsibility for the physical security of pipelines following the terrorist attacks on Sept. 11, 2001.
Bernie Cowens, the former CISO of Pacific Gas & Electric, said in a recent interview that the U.S. was not well-prepared to handle the type of attack that disrupted the Colonial Pipeline. The Colonial Pipeline attack "simply underscores the fact that in many areas we're simply underprepared," Cowens said. "We don't seem to be aware of the situation - at least not at the level that we need to be - and we don't seem to be taking the actions that we need … especially in critical infrastructure."
Joseph Neumann, a cyber executive adviser suggests that DHS and TSA should further expand security requirements for pipeline operators. For example, he says the companies should provide metrics to help determine the risks they're facing. He would also like to see Congress make the DHS security directive's requirements permanent by codifying them into law.
DHS's new requirements are being implemented as a result of an executive order, so they're not truly permanent and have "little to no teeth" for enforcement, he says. "This is nowhere near enough and is completely reactionary to make it look like the administration is actually trying to solve the problem," he adds.
Neumann recommends that DHS and the Biden administration issue additional directives that would put new cybersecurity rules in place for operational technology and industrial control systems, requiring system developers to bake security into the designs. "ICS systems are not built with security in mind and have never been," Neumann says. "OT systems need to be treated the same way as IT and maintained as such. Vendors providing these technologies need to be held to the same standards and not ride the assumptions of network segmentation."
Lawmakers are expected to ask Colonial Pipeline CEO Joseph Blount about why the firm paid a $4.4 million ransom to the DarkSide criminal gang to obtain a decryptor, which ultimately proved to be faulty. The DarkSide gang announced on May 13 that it was shutting down its ransomware-as-a-service operation.
Several bills have recently been introduced in Congress to address a range of security issues in the nation's critical infrastructure.
Bryan Orme, the principal, and partner at cybersecurity firm GuidePoint Security says that while incident reporting rules and mandatory guidelines will not necessarily lead to better security, the emphasis on cybersecurity should at least bring more attention to the issue. "Although compliance with a regulation does not necessarily achieve a strong security posture, it at least raises the bar to a minimum acceptable threshold for security," Orme says. "Stronger regulatory requirements and enforcement for these organizations that provide critical services to U.S. citizens should ensure that these entities achieve and maintain an acceptable level of cybersecurity controls."
On 13 May 2021, Red Sky Alliance conducted a collection and analysis of Colonial Pipeline in our proprietary data. Our data showed 401 ‘hits’ with a breakdown below:
Breach Data: In just the recent COMB breach alone, there were 227 hits for Colonial pipeline employee user credentials.
Pastebin: We have 1 Pastebin hit for an employee at Colonial Pipeline from 2019. The Pastebin post consists of a username and password data. This user is also listed as part of the COMB breach data. It only takes one breach to conduct an attack.
Botnet_Tracker: We have one hit from November 2019 indicating an IP address on Colonial Pipeline’s network communicating with the Anubis Sinkhole. This typically indicates the device is infected with malware.
Red Sky Alliance has been analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
To protect your own supply chain, consider subscribing to RedXray, Red Sky Alliance’s cyber threat notification service. Details can be found at: https://www.wapacklabs.com/redxray.
Red Sky Alliance is in New Boston, NH, USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments