Follow-up to similar recent directive prescribes contingency and recovery plan, architecture design review
Following the recent hack of Colonial Pipeline, the US Department of Homeland Security (DHS) has issued a new security directive requiring critical pipelines to implement tighter security controls.
The directive applies to pipelines transporting hazardous liquids and natural gas that have been designated as ‘critical’ by the Transportation Security Administration (TSA).
It requires them to implement specific measures to protect against ransomware attacks and other known threats to IT and operational technology systems; develop and implement a cybersecurity contingency and recovery plan; and conduct a cybersecurity architecture design review.
“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” said secretary of homeland security Alejandro Mayorkas.
Unlike a previous security directive issued in May – which instructed operators to report security incidents to CISA, review their security posture, and address weaknesses found – the details of this one are designated as security sensitive, and will only be distributed to those with a ‘need to know’.
Security hygiene practices
Michael Fabian, principal security consultant with the Synopsys Software Integrity Group, says that standard OT/IT security controls should include asset inventories, secure configurations, network segmentation, incident response and disaster response planning, technical solutions around backup and recovery, and network and host protection technology.
Colonial Pipeline was crippled by a cyber-attack in May 2021
“Security hygiene practices around incident response and disaster response are key when it comes to ransomware attack potential in terms of business continuity and damage control,” he said.
“If a system is impacted by an attack, with a strategy in place, organisations are better positioned to minimise the effects of finding themselves helpless to the demands of the ransomware attackers.”
However, Roger Grimes, data-driven defense evangelist at security firm KnowBe4, is sceptical about the effectiveness of the new directive.
“Adding another requirement on top of all the other requirements and regulations over the top of what they already know they should be doing is likely not going to result in being significantly more resilient to cyber attacks,” he said.
“It cannot hurt – but it is not likely to be the final nail in the coffin that defeats all malicious hackers and malware.”
The US Cybersecurity and Infrastructure Security Agency (CISA), which helped draft the latest DHS directive, has also issued an alert flagging a spear phishing campaign directed by state-sponsored Chinese actors that compromised at least 13 gas pipeline operators between December 2011 and 2013.
The impact of those attacks was dwarfed in May of this year by the ransomware attack against the Colonial Pipeline Company, which paid a ransom of $4.3 million in bitcoin in order to restore gas supplies.