An updated pipeline security directive is underway, reflecting TSA struggles | #malware | #ransomware

In the immediate aftermath of the devastating ransomware attack on Colonial Pipeline, the U.S. Transportation Safety Administration (TSA) issued in May 2021 a hastily prepared security directive that required oil and gas pipeline companies to report every security incident to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 12 hours after they identify it. Companies that fail to meet this and other security requirements in the directive are reported to be subject to fines starting at $7,000 per day.

Although most experts considered the move a step in the right direction, pipeline companies and their lobbying arms, including the American Petroleum Institute, cried foul, saying that the federal government did not collaborate well enough with the private sector in crafting regulations for this complex segment of the industrial control community. A more detailed follow-up to the initial directive was announced on July 21, 2021, but was not released publicly.

This second directive reportedly contained mandates regarding password updates, disabling Microsoft macros, and additional security measures including multi-factor authentication (MFA) and password changes on programmable logic controllers (PLCs). Moreover, it offered pipeline owners and operators the option to suggest alternatives to these measures.

Now TSA, an arm of the Department of Homeland Security (DHS), is reportedly prepared to “loosen” some of the requirements in the second directive, particularly the 12-hour incident reporting requirement, which was apparently expanded to 24 hours on May 29. In addition, an update to the second directive is reportedly scheduled for no later than July 26.

A TSA spokesperson said that the new directive is a movement toward a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology.” One of the criticisms of the directives is that TSA would not have enough industrial security experts to oversee its emerging pipeline regulations. TSA claims it has hired more than 20 specialists dedicated to pipeline security.

TSA security regulations are “a mess”

It’s unclear what will be in the second directive, but TSA appears to be struggling with its effort to craft security regulations for the pipeline sector. “TSA is totally overwhelmed,” Padraic O’Reilly, chief product officer and co-founder of CyberSaint, tells CSO. “It’s a bit of a mess, and I don’t think that was intentional at all. I think the trip-up thing has been around the standard stuff, like reporting.”

Copyright © 2022 IDG Communications, Inc.

Original Source link

Leave a Reply

Your email address will not be published.

+ 50 = fifty three