The Department of Homeland Security mandated additional cybersecurity measures this week for critical US pipelines, a move meant to protect against ransomware and other known threats months after a crippling cyberattack on one of America’s most important pipelines.
On Monday, the Transportation Security Administration, a component of DHS, issued its second “security directive” for designated critical pipelines that transport hazardous liquids and natural gas.
The announcement comes nearly two months after TSA issued its first pipeline directive in a rush to better secure the industry after the ransomware attack on Colonial Pipeline exposed vulnerabilities in the pipeline sector. That attack had caused a days-long shutdown of the pipeline in May, resulting in gas shortages, spiking prices and consumer panic.
“An attack like Colonial makes very clear that we simply cannot be that exposed – the grid, the supply of gasoline, the supply of food, the supply of water. Those things are so critical that the government is really pulling out all the stops,” said Padraic O’Reilly, pipeline and critical infrastructure cybersecurity risk adviser and co-founder at the cyber risk firm CyberSaint.
The latest directive will require pipeline companies to implement a number of “urgently needed” protections against cyber intrusions, including implementing a cybersecurity contingency and recovery plan and conducting a cybersecurity architecture design review, according to DHS.
“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Homeland Security Secretary Alejandro Mayorkas said in a statement.
TSA is responsible for transportation security, including hazardous material and pipeline security, and has guidelines in place for the industry. It has moved in recent months to mandate steps the industry must take to comply with the guidelines.
Its first directive focused largely on reporting requirements, such as designating a “24/7, always available” cybersecurity coordinator who can respond to incidents and coordinate with TSA and the department’s Cybersecurity and Infrastructure Security Agency. It also mandated that pipelines report cybersecurity incidents to the department within 12 hours.
The latest directive focuses on changes to IT and operational technology operations for the top 100 US pipelines, according to an industry source.
While there have been guidelines in place for pipelines, “this is the first time TSA has required mandatory changes,” the source said.
There were some initial concerns, based on a draft directive, about the timeline to complete the requirements, the source said, adding that owners and operators are still assessing the final directive that was shared with the industry Monday.
“In certain operating environments, before you make any type of change, you need to test it in a test environment, to make sure that it’s not going to have any unintended consequences,” the source said. “And so that takes time.”
Unlike the first directive, the latest is designated as “security sensitive information” and, as a result, its “distribution will be limited to those with a need to know,” according to a DHS official. It applies only to owners and operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities that have been designated as critical by TSA, the official said, adding that those entities have been notified of their status.
Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales, speaking at a conference in Israel on Tuesday, called on government and private-sector leaders to collaborate internationally against the threat of ransomware and other cybersecurity challenges, saying that “cybersecurity can no longer be an afterthought.”
“Our adversaries are increasingly turning to cyberattacks to steal our secrets, disrupt our infrastructure, extort money from businesses, sow discord amongst our populations, or any other number of nefarious schemes,” he told an audience assembled at Tel Aviv University.
Wales encouraged cybersecurity practitioners to look to future threats.
“While over the past year I’m sure everyone can agree that it’s felt like we’ve just been putting out fires, today’s fires, we also know we need to address tomorrow’s risks, driving long-term change in a broader ecosystem,” he said.
Earlier this week, the United States and its foreign allies accused China of widespread malfeasance in cyberspace, including through a massive hack of Microsoft’s email system and other ransomware attacks.
In a coordinated announcement, the White House and governments in Europe and Asia identified China’s Ministry of State Security, the sprawling and secretive civilian intelligence agency, with using “criminal contract hackers” to conduct a range of destabilizing activities around the world for personal profit, including the Microsoft hack.
The administration also said China was behind a specific ransomware attack against a US target that a senior administration official said involved a “large ransom request” – and added that Chinese ransom demands have been in the “millions of dollars.”
On Tuesday, the Cybersecurity and Infrastructure Security Agency and the FBI released a joint cybersecurity advisory detailing a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors from December 2011 to 2013, targeting US oil and natural gas pipeline companies.
“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk,” according to the alert.
The federal government identified more than 20 US natural gas pipeline operators targeted during the two years.
This story has been updated with additional details.
CNN’s Brian Fung contributed to this report.