IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Are DHS Pipeline Breach Reporting Mandates Just the Beginning?

The Department of Homeland Security is mandating that pipeline companies report cyber breaches to federal authorities within 12 hours of an incident, and the list of organizations who must do the same will likely grow.

sign marking Colonial Pipeline Company oil pipes running through Doraville, GA residential neighborhood
Shutterstock/BrianElevates
After the Colonial Pipeline ransomware attacks, many critical infrastructure protection experts predicted that more oversight and help was coming soon.

On May 27, 2021, the U.S. Department of Homeland Security (DHS) announced a Security Directive that they hope will enable the department to better identify, protect against and respond to threats to critical companies in the pipeline sector.

Here’s an excerpt from the directive:

“The Security Directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a cybersecurity coordinator, to be available 24 hours a day, seven days a week. It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.”

Recent events involving the Colonial Pipeline, including gas lines in several states that resulted from the pipeline closure, prompted the Biden administration to act decisively. Coverage of the announcement was widespread:

TheHill.com: TSA formally directs pipeline companies to report cybersecurity incidents in wake of Colonial attack

“A DHS official told reporters Wednesday night that the directive applied to around 100 critical pipelines across the nation, and that financial penalties would be imposed, to ramp up on a daily basis, for companies that did not comply with the directive.

The official stressed that the directive represented 'step one' and would be 'followed by more' actions from the Biden administration in the future to secure pipelines against cyber threats.”

Politico: TSA orders pipeline companies to disclose breaches after Colonial hack

"The rule announced Thursday is the first-ever federal cybersecurity regulation for pipeline companies, which until now have faced only voluntary TSA guidance, including the suggestion that they report breaches. It comes as Congress is debating even more sweeping responses to this month’s disruptive Colonial Pipeline hack, such as proposals to mandate cyber incident reporting by all companies that operate critical infrastructure or provide key technology services.

In addition, some lawmakers of both parties have suggested stripping oversight of pipeline security from the TSA, an arm of the Department of Homeland Security whose main duties include preventing terrorist attacks on commercial airliners.”

ABC News:  Department of Homeland Security mandates pipeline companies report breaches within 12 hours

Officials stressed it was a balancing act between being transparent, but also not providing a playbook for potential attackers to use against other companies.

While it did not say if DHS will be issuing more directives for other companies, the department's hope is that the increase in ransomware attacks will put companies on high alert.”

Fox News: After Colonial attack, energy companies rush to secure cyber insurance

“To date, many companies have not bought cyber insurance because of high premiums and difficulties in quantifying the costs from incidents, according to a report from the Government Accountability Office, a federal watchdog, on Monday.

‘A lot of operators have not done the business impact assessments that banks and big retailers do to determine overall costs of being down for a certain period of time,’ said Dagostino.

Colonial had cyber insurance coverage of only about $15 million, according to one media report. Last year, the company had net income of $420 million on $1.3 billion of revenue, according to regulatory filings.”

OTHER PERSPECTIVES ON THE PIPELINE COMMUNITY DIRECTIVE


According to Edgard Capdevielle, CEO of Nozomi Networks and a critical infrastructure security specialist who works with nine of the top 20 global oil and gas companies:

“This new directive is a good start. Mandatory breach reporting and security gap assessments are important first steps to address security issues in the oil and gas sector. As seen with Colonial, the cost of downtime is prohibitive; many in this sector already engage in mature cybersecurity practices. However, the distributed nature of oil and gas operators — pipelines, rigs and refineries in remote locations — makes securing their physical infrastructure difficult. We know from our customers that no two operators are alike in terms of the exact processes and systems they’re using. These factors make it harder to establish one set of cybersecurity requirements that will work effectively for all.

The danger is that too much regulation will increase operating and consumer costs. While there's a place for security mandates, we need to be careful not to put all the burden on the victims. Tax incentives and government-funded centers of excellence will help ensure that critical infrastructure operators can build and maintain effective cybersecurity programs over time. TSA does not have the resources to achieve all of this – a public-private collaboration will be essential to achieve real results.”

When I posted this story on LinkedIn this week, the responses were all over the map.

Here were some of the comments from cyber industry leaders:

Mike Russo PMP, CISSP, CISA, CFE, CGEIT, Director, Information Security and Privacy - CISO/CPO - Retired at Florida State University: “This will be a tough one for companies. States have similar laws, and my experience tells me that companies for the most part tend to only report when someone spills the beans or when it's catastrophic. I hope the Feds actually define what cybersecurity incidents they want reported. They could end up with thousands a day to none at all. This could be very confusing to companies. Good luck.”

Dr. Chase Cunningham, Chief Strategy Officer (CSO) at Ericom Software: “Big deal ... this assumes they actually can identify that they are breached in the first place ... more proof the goofs in DC don’t understand how all this works and what will actually help.”

Heinrich Smit, Information Security Manager, Wells Fargo: “We really need to become serious about infrastructure protection. There is some renewed focus on NIST 800-82. We are discussing this at the Zero-Trust expert level. Good to see a little movement by the fed.”

THE BIG QUESTION: WHERE NEXT?


Regardless of your political viewpoint, as we ponder these actions regarding mandatory reporting and pipeline cybersecurity, we should not be surprised. There is simply too much at stake for the Biden administration to do nothing regarding reporting mandates and ensuring that other companies do more regarding their own cyber defenses.

Indeed, similar actions have been discussed (mostly behind closed doors) for more than a decade in many critical infrastructure sectors. I remember talking about these same topics back as early as 2003 after the northeast blackout, when I was Michigan’s CISO. We held the first Critical Infrastructure Protection Conference with DHS and many other federal and state officials in 2005, and looked at numerous critical infrastructure protection options over that entire decade. Some of this was related to cybersecurity, but other items focused more on physical security.

In my personal opinion, this pipeline reporting directive is just the beginning of mandated reporting and other actions. Also, future requirements will not be limited to pipeline (or even energy/transportation) companies; rather, all critical infrastructure protection owners and operators should be aware that your turn may be coming.

How soon? Hard to say, but this pipeline directive will serve as a good case study for many other sectors.

Answering the “whys” would require a whole book, or at least numerous blogs. But needless to say, the next ransomware or other attack could hit the electricity grid, air traffic control systems, banking and much, much more. Why stop at pipelines?

Sure, we need a priority list. Not every target or critical infrastructure is a national security or economic imperative. Indeed, DHS already has these lists and they know what the top priorities are. More than that, they know what critical infrastructures are most vulnerable to cyber attacks. Many of these company facilities have been hardened against physical attacks, but, as we just learned with the Colonial Pipeline, they remain vulnerable to other forms of cyber attacks like ransomware.

I will not elaborate on this further to protect the weaker companies from undue attention, but I fully expect that this announcement regarding mandatory reporting of data breaches is just the tip of the iceberg. Get ready for required data breach reporting, more cybersecurity protections, better coordination, readiness for incident response to cyber attacks and much more for at least the owners and operators of the top-priority critical infrastructure companies.

FINAL THOUGHTS


I know many of my readers will balk at this blog and oppose “government overreach” and worse. And yet so many have cried for more help against nation-state cyber attacks. They say, “How can we compete with Russia or China? Please help.”

Capdevielle’s comments are correct regarding resources and costs, and I am sympathetic to his viewpoint. But I still believe that this will be seen as a turning point to a growing trend.

The coming directives over the next few months and years may be gradual, or they may be more sudden, depending on how events and incidents unfold online. But pay close attention to this pipeline directive.

One question: Who is next?

It is also hard to say if this reporting could be mandatory for state and local governments or education, since these organizations generally have voluntary reporting now via the Multi-State Information Sharing and Analysis Center (MS-ISACs), and there are state and federal legal issues to resolve. But could mandatory reporting be tied to federal grants? Perhaps down the road.

For those looking for more resources, visit: https://us-cert.cisa.gov/resources

Nevertheless, I believe more directives are coming — so start planning for it now. Even if I’m wrong, you’ll benefit by being more prepared for the coming wave of future cyber attacks on critical infrastructure owners and operators.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.