New cybersecurity requirements for US pipeline operators have been issued by government officials, in the wake of the Colonial Pipeline ransomware attack earlier this month.

The Department of Homeland Security (DHS) directed critical pipeline owners and operators to report any confirmed or suspected cyber-attacks to the Cybersecurity and Infrastructure Security Agency (CISA), as well as ensuring a designated cybersecurity coordinator is available “24 hours a day, seven days a week”.

Companies are also required to immediately review existing cybersecurity practices and report any gaps in their defences to CISA and the Transportation Security Administration (TSA) within 30 days.

The measures are intended to “better identify, protect against, and respond” to cyber threats faced by pipeline operators to avoid a repeat of the Colonial incident, in which the country’s largest refined products transportation system was taken offline for almost a week causing huge disruption to fuel supplies along the East Coast.

US secretary of homeland security Alejandro Mayorkas said: “The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats.

“The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Further mandatory measures for bolstering pipeline cybersecurity are also being considered by the TSA that would “strengthen the public-private partnership so critical to the cybersecurity of our homeland”.

 

Attack on US pipeline throws cybersecurity vulnerabilities under the spotlight

Georgia-based Colonial Pipeline, which operates a 5,500-mile network connecting Gulf Coast refineries to markets along the eastern US coastline right up to New Jersey, was targeted by a ransomware attack on May 7, linked to a hacking group known as DarkSide – which is believed to reside in Russia but is not affiliated with the Russian government.

Once locked out of its IT systems, the company was forced to shut down the entire pipeline system, which typically pumps 2.5 billion barrels per day and supplies around 45% of the fuel products used along the East Coast, including gasoline, diesel, jet fuel, home heating oil and fuel used by the US military.

It emerged in the days following the attack that Colonial executives had quickly authorised a $4.4m ransom payment to regain control if their IT network, although this did not prevent ongoing disruption that saw fuel stations across several US states run dry amid panic buying by worried customers.

The incident highlighted the vulnerability of large energy infrastructure systems to cyber threats, and the need for the operators of these critical networks to be ever more vigilante about their cybersecurity practices.

President Biden issued an executive order soon after the attack aimed at improving cyber resilience across the federal government and national infrastructure, although a White House briefing acknowledged that “federal action alone is not enough”.

“Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments,” the briefing stated.

“We encourage private sector companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimising future incidents.”