New cybersecurity rules have been introduced for critical pipeline owners and operators in the US in response to an “ongoing threat” to fuel networks.
It is the second directive issued by the US Department of Homeland Security (DHS) since the ransomware attack on Colonial Pipeline in May, which caused widespread disruption to fuel supplies in the east of the country.
Pipeline owners and operators will now be required to implement specific mitigation measures against cyber-attacks, including the development and implementation of contingency and recovery plans in the event of a breach, as well as conducting a cybersecurity architecture design review.
New US pipeline cybersecurity rules deliver ‘urgently needed protections’ against fast-evolving threats
At the end of May following the Colonial incident, the DHS instructed companies responsible for fuel pipelines to immediately report any confirmed or suspected cyber-attacks to the Cybersecurity and Infrastructure Security Agency (CISA), as well as ensure a designated cybersecurity coordinator is available “24 hours a day, seven days a week”.
Companies were also required to immediately review existing cybersecurity practices and report any gaps in their defences to CISA and the Transportation Security Administration (TSA) within 30 days.
The latest set of rules introduce “urgently needed protections against cyber intrusions”, according to the security agency.
“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” said secretary of homeland security Alejandro Mayorkas.
“Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security.
“Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”
Colonial Pipeline shut-down raised questions over cyber-resilience of critical national infrastructure
On 7 May, Georgia-based Colonial Pipeline was targeted by a ransomware attack from a hacking group identified by the FBI as DarkSide.
The company – which transports 2.5 billion barrels of fuel each day across its 5,500-mile network stretching from Gulf Coast refineries up to New Jersey – was locked out of its IT systems and asked to pay a ransom in return for access.
In response, Colonial shut down its entire pipeline system – and despite paying the $4.4m ransom soon after the attack, it took several days for full operations to be restored.
It caused huge disruption across several US states as the pipeline, which supplies around 45% of the gasoline, diesel, jet fuel, and home heating oil used in the country, was suddenly unable to make deliveries.
A major federal response was launched, and law enforcement agencies even succeeded in recovering around half the ransom payment.
The incident, along with other high-profile cyber-attacks in recent months, highlighted the dangers faced by critical infrastructure operators and raised questions over cyber-resilience across the energy sector.
Colonial Pipeline’s CEO Joseph Blount was summoned to testify before a congressional committee in the days after the shut-down and publicly answer questions about his company’s preparedness for a cyber-attack and its response to the intrusion.
“The attack forced us to make difficult decisions in real time that no company ever wants to face,” Blount told the Senate Homeland Security Committee. “We are deeply sorry for the impact that this attack had.
“We had cyber defences in place, but the unfortunate reality is that those defences were compromised.”