The U.S. Department of Homeland Security is preparing to issue new cybersecurity regulations on fuel and oil pipelines to prevent future cyberattacks like the one that crippled the Colonial Pipeline during May 2021.
With the specific incident, the Transportation Security Administration will issue a security directive requiring pipeline companies to report cyber incidents to federal authorities, following up in coming weeks with a robust set of mandatory rules pipeline companies and how they must safeguard systems against cyberattacks.
Looking at the ramifications of this for Digital Journal, is Mark Logan, CEO of LogRhythm.
According to Logan, assessing things from the North American perspective: “Cyberattacks continue to be a tremendous threat to our nation’s essential critical infrastructure like pipelines, electrical grids and water systems. While it is nice to see more attention to ensuring that the crucial component of our critical infrastructure is protected from further attacks, timely reporting of incidents to federal authorities is really a very small piece of the overall issue.”
Instead , more serious reform is required says Logan: “There needs to be overall accountability and responsibility for security in each of these critical infrastructure organizations. They need to implement the appropriate safeguards and security controls so they don’t maintain their positions as targets for an attacker, especially since they are so critical to our nation’s infrastructure.”
There are other things as well: “They should be governed and regulated in much the same way that the energy sector is governed and regulated. I fully expect to see much of the same components in the new regulations for the oil and pipeline industry that we see in the energy sector.”
The process needs to be gradual, says Logan: “Since most of these companies are starting at a low baseline for security (or even from scratch in some cases), the government will provide some leniency and time for these companies to reach an appropriate level of protection. They may even start with very simple things like establishing accountability for security, having an incident response plan, conducting third party assessments to determine level of exposure and risk, deploying basic controls and safeguards like endpoint and network protections, detections, and response technologies, and enforcing limited privileged access and multifactor authentication.”
He adds that: “The government will likely mandate security processes, procedures and testing as well. We’ll ultimately see a lot of NIST based controls being required since that is the basis for much of the government and regulated industries.”
Things need to happen quickly, encourages Logan, given the pace of attacks. He states: “Unfortunately, these attacks and threats are only growing. While the Colonial Pipeline is at the forefront of the latest attacks, other aspects of our critical infrastructure must also be protected through regulations from DHS. Any organization leveraging technology to enable operations for critical infrastructure needs to ensure proper protection protocols are established, ranging from threat detection, preventative controls, and response controls to quickly thwart and identify potential catastrophes. Lagging detection and alerts can result in a disaster if controls or data are obtained by domestic or foreign adversaries.”
