Cancel
CreatorsPublishersAdvertisers
View more in
Industry

TSA orders pipeline companies to disclose breaches after Colonial hack

By Eric Geller
Posted by 
POLITICO
POLITICO
 8 days ago
https://img.particlenews.com/image.php?url=2cwPtM_0aD5NRCo00
Traffic on I-95 passes oil storage tanks owned by the Colonial Pipeline Company in Linden, N.J. | Mark Lennihan/AP Photo

Updated: 05/27/2021 12:13 PM EDT

Companies that operate pipelines must alert the government whenever they suffer cyberattacks, the Transportation Security Administration ordered Thursday, in the Biden administration’s first effort to harden U.S. critical infrastructure after hackers disrupted the East Coast’s gasoline supply three weeks ago.

Pipeline operators also must preemptively assess their cybersecurity postures for weaknesses that could open the door to hackers, according to the new TSA directive .

The rule announced Thursday is the first-ever federal cybersecurity regulation for pipeline companies, which until now have faced only voluntary TSA guidance , including the suggestion that they report breaches. It comes as Congress is debating even more sweeping responses to this month’s disruptive Colonial Pipeline hack, such as proposals to mandate cyber incident reporting by all companies that operate critical infrastructure or provide key technology services.

In addition, some lawmakers of both parties have suggested stripping oversight of pipeline security from the TSA, an arm of the Department of Homeland Security whose main duties include preventing terrorist attacks on commercial airliners.

The cyberattack on Colonial, first disclosed May 7, prompted the Georgia-based company to shut down the 5,500-mile-long pipeline that supplies much of the East Coast’s gasoline, diesel and jet fuel, leading to hoarding and widespread fuel shortages.

“The Colonial Pipeline ransomware attack was a powerful reminder … of why we need to take this action,” a senior DHS official told reporters during a Wednesday briefing.

Under the new rule, pipeline operators have 12 hours to report cyber incidents to DHS’ Cybersecurity and Infrastructure Security Agency, which is partnering with TSA on pipeline security. These reports must describe the incident's projected impact, technical details associated with the intrusion and all current and planned responses. Within 30 days, companies must also assess how their cybersecurity practices line up with existing TSA guidance and develop plans to fix any gaps.



TSA will be able impose daily penalties on companies that do not comply.

Within seven days, operators must also designate primary and alternate cyber employees to maintain 24/7 communication with TSA and CISA.

TSA plans to issue a second pipeline cyber directive with more significant requirements in the coming weeks, The Washington Post has reported.

“This is step one in the immediate wake of the Colonial Pipeline incident, to be followed by more,” a senior DHS official said.

The new incident-reporting requirement is meant to ensure that the government’s cyber defenders understand the nature and scope of digital attacks as they work to prevent further intrusions. Although Colonial alerted the FBI after discovering that it had been hit by an extortion attack known as ransomware, it did not provide technical data to CISA until several days later. The company also did not inform CISA that it had paid a multimillion-dollar ransom to regain access to its data.

The new directive does not explicitly require pipeline operators to report ransomware payments, although such payments could fall under the order's mandate to report any "responses" to the incident.

The Colonial hack exposed the shortcomings of the federal government’s current approach to defending critical infrastructure. Few of the 16 infrastructure sectors, which are managed by a cluster of different federal agencies, face mandatory cyber requirements.

In addition, several of the agencies responsible for overseeing infrastructure, including the TSA and the Environmental Protection Agency, have little experience with cybersecurity and devote few resources to digital threats. In 2018, TSA’s pipeline security arm only had six full-time employees , and the agency lacked a plan for ensuring that employees had the requisite cyber knowledge, according to a report from the Government Accountability Office.

TSA now has enough personnel to enforce the new rule, a senior DHS official said, and those staffers have received training from CISA and other government experts. “We are continuing to expand that group,” the official said.

Through an existing partnership, CISA and TSA have conducted security reviews of 23 pipeline facilities since October 2020 and plan to conduct another 29 reviews in the next four months, according to the official.



For years, federal cyber leaders and industry executives have emphasized cooperation rather than regulation as a means of safeguarding infrastructure from hackers. But many companies — including some that run the United States’ power plants, water treatment facilities and other vital infrastructure — either ignore cybersecurity or devote too few resources and attention to it, creating weak links that can metastasize into bigger problems.

Biden administration officials have also touted the value of public-private partnerships and voluntary information sharing, but the Colonial hack appears to have galvanized the administration to pursue a stricter approach to protecting a vital part of the country’s energy system.

“Even though we will have more structured oversight … we still look forward to a very collaborative relationship with the pipeline industry,” one senior DHS official said.

But, another added, one lesson from the Colonial hack is that “we need to adopt a more more muscular approach.”

Frustration with the voluntary approach has mounted in Congress, too. A bipartisan group of lawmakers is drafting legislation to require critical infrastructure companies and major IT service providers to disclose hacks to the government.

TSA’s new rules are likely to spark intense pushback from the oil sector, which has opposed new regulations on its members even as evidence has mounted that voluntary standards are inadequate.

“Any regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation’s critical infrastructure,” Suzanne Lemieux, the American Petroleum Institute’s manager of operations security and emergency response, said in a statement after the rule’s release. In mid-May, Lemieux said regulation was “premature” without “a full understanding” of the Colonial hack.

While TSA steps up its oversight of pipelines, some policymakers are questioning whether it is even the right agency to do that work. On the Hill, leaders of the House Energy and Commerce Committee are pushing for the Energy Department to take over TSA’s pipeline portfolio . The chair of the House Homeland Security Committee, however, has argued that TSA has the necessary experience to retain its role .

View All 3 Commentsarrow_down
POLITICO

POLITICO

Washington, DC
82K+
Followers
5K+
Post
55M+
Views
ABOUT

POLITICO is the dominant source for politics and policy news around the world. Nobody knows politics like POLITICO.

 https://www.politico.com
IN THIS ARTICLE
#Tsa#Infrastructure Security#Cyber Security#Information Security#Security Breaches#Data Breaches#Cybersecurity Breaches#Tsa#Congress#Cisa#The Washington Post#Fbi#Energy Department#Pipeline Security#Pipeline Companies#Pipeline Operators#Operations Security#Federal Cyber Leaders#Cyber Incidents#Hackers
YOU MAY ALSO LIKE
News Break
Data Security
News Break
Public Safety
News Break
Economy
News Break
Industry
Related
IndustryFOXBusiness

Breached account led to Colonial Pipeline shutdown, cybersecurity firm says

Hackers accessing a remote account with a single password were able to interrupt operations at Colonial Pipeline, one of the largest pipeline systems for refined oil products in the U.S., a cybersecurity expert says. Criminals used a virtual private network account to access the company’s systems, Mandiant senior vice president...
Industrynationalcybersecuritynews.today

Colonial hack exposed government’s light-touch oversight of pipeline cybersecurity | #government | #hacking | #cyberattack

Storage tanks at a Colonial Pipeline Inc. facility in Avenel, N.J., on May 12, 2021. (Mark Kauzlarich/Bloomberg) Three times over the last year, Colonial Pipeline and the Transportation Security Administration discussed scheduling a voluntary, in-depth cybersecurity review — an assessment the federal agency began doing in late 2018 to strengthen the digital defenses of oil and natural gas pipeline companies, according to a company official and an industry official familiar with the matter.
Industryscmagazine.com

Colonial Pipeline led to a cyber order for sector operators. Will JBS lead to more?

Less than a week after the Transportation Security Administration responded to the Colonial Pipeline shutdown with a landmark order for oil and gas pipelines to abide by cybersecurity rules, major food supplier JBS had operations interrupted by its own cyberattack. The United States government traditionally handled cybersecurity on a sector-by-sector basis. How does it respond to a problem that transcends industry boundaries?
Industry850wftl.com

DHS mandates pipeline companies report breaches within 12 hours

(WASHINGTON) — The Department of Homeland Security is mandating that pipeline companies report cyber breaches to federal authorities within 12 hours, according to government officials. The directive comes in the wake of the Colonial Pipeline ransomware attack, which resulted in supply chain delays and panic buying at gas stations along...
Energy IndustryHouston Chronicle

Biden advancing new cyber rules for pipelines after hack attack

The Biden administration is moving forward with mandatory cybersecurity requirements for pipelines, according to a person briefed on the plans, following the ransomware attack earlier this month that paralyzed the biggest fuel pipeline in the nation. Pipeline operators would be required for the first time to report certain cyberattacks to...
IndustryBrainerd Dispatch

U.S. to boost pipeline cyber protections in wake of Colonial hack

WASHINGTON, May 25 (Reuters) - The Biden administration is working with pipeline companies to strengthen protections against cyberattacks following the Colonial Pipeline hack and will announce actions in coming days, the Department of Homeland Security (DHS) said on Tuesday. The Transportation Security Administration, a unit of the DHS, "is coordinating...
IndustryWNMT AM 650

U.S. to issue first cyber regulations for pipelines after hack -Washington Post

WASHINGTON (Reuters) -The U.S. government is preparing to issue its first cybersecurity regulations for pipelines after the Colonial Pipeline hack that disrupted fuel supplies in the southeastern United States, the Washington Post reported on Tuesday. The Transportation Security Administration, a unit of the Department of Homeland Security, would require pipeline...
IndustryPosted by
Newsweek

Colonial Pipeline Cyberattack Gives Democrats Opportunity to Get Tough on Foreign Hacking | Opinion

The events of the past month make it glaringly apparent that an agonizing reappraisal of the effectiveness of Washington's policy approach to cybersecurity is long overdue. On May 7, a cyberattack forced the shutdown of one of the largest energy pipelines in the United States, disrupting our vulnerable energy infrastructure. The attack forced Colonial Pipeline to shut down 5,500 miles of pipeline, carrying 45 percent of the East Coast's fuel supplies, and at least 11 states up and down the Eastern Seaboard experienced gas shortages for the first time in memory. According to the assessment of cybersecurity experts, this was only the latest in a string of foreign-sponsored cyberattacks that constitute one of the biggest current threats to U.S. national security.
Public Safetycryptofinancialtimes.com

The Crypto Lesson of the Colonial Pipeline Hack

Last month’s spectacular security breach at the Colonial Pipeline Co. has focused attention on a major issue with cryptocurrencies such as Bitcoin. Their primary use as a medium of exchange, as opposed to their role as a store of value, is for payments related to crime — in this case, more than $4 million in ransom to the hackers who shut down a significant part of America’s fuel supply.
Congress & CourtsSFGate

Biden, Congress face test on cyber spending after Colonial hack

President Joe Biden and members of Congress face a moment of truth when it comes to whether they are willing to spend significant dollars to shore up U.S. cyber defenses. Three weeks after a ransomware attack crippled fuel supplies along the East Coast, Biden plans to unveil his spending request for fiscal 2022, where officials aim to boost cybersecurity funding. Simultaneously, Democrats and Republicans in Congress attempt to negotiate an infrastructure spending plan that may include cyber-related programs.
Public SafetyHackRead

Canada Post discloses data breach after malware attack

According to Canada Post, sensitive information of over 950,000 customers and 44 of its large business clients has been exposed in the malware attack. Another day, another data breach. This time, the victim is the Canadian postal agency Canada Post who on Wednesday confirmed in a press release that data of over 950,000 of its customers could be compromised after one of its suppliers became a victim of a malware attack last week.