The Government’s Swift Response To Pipeline Cyberattack: Executive Order And TSA Security Directive – Energy and Natural Resources | #government | #hacking | #cyberattack


On May 10, 2021, the hacking group DarkSide succeeded in
shutting down the Colonial Pipeline with a 
ransomware attack that highlighted the vulnerability of the U.S. energy
sector to cyberattacks.  The attack led to a panic
among many consumers in the Southeast, resulting in a fuel shortage
throughout several states.  According to media reports,
Colonial Pipeline paid $4.4 million in ransom to DarkSide to get
its system back online.

DarkSide and other, similar hacking groups have developed
strategies that put companies in leveraged positions, making
negotiating with DarkSide nearly impossible.  The hackers use
a “double extortion” method to put pressure on companies
by stealing sensitive and confidential information from
companies’ systems prior to unleashing the malware.  If
the targeted company refuses to pay the ransom to get its systems
back online, the hackers will threaten to release the private
information.  Another tactic these groups use is to steal the
financial data and revenue information of a targeted company as
proof that the company can afford the proposed ransom amount

During the COVID-19 pandemic, hackers have taken down numerous
businesses, hospitals, schools, and government agencies using these
tactics.  Companies have been particularly vulnerable during
this time, as normal security perimeters have been stretched due to
many employees working remotely.  As we have
previously blogged about, the energy sector –
particularly gas assets – remains increasingly vulnerable due
to the lack of cybersecurity regulation, the outdated
infrastructure, and the size of the systems.

In the wake of the attack on Colonial Pipeline, the federal
government has taken several steps to begin to address
vulnerabilities in the country’s cybersecurity
infrastructure.  On May 12, 2021, two days after the Colonial
Pipeline attack, President Biden signed an Executive Order on Improving the
Nation’s Cybersecurity (the “Order”).  A few
weeks later on May 27, 2021, the Transportation Security
Administration (“TSA”) released a security directive (the
“Directive”) which directly addresses cybersecurity of
pipelines.

The Executive Order

While the Order came right on the heels of the Colonial Pipeline
cyberattack, it had been in the works for months prior and does not
directly address the type of the ransomware attack on Colonial.
 The stated goal of the Order is to improve the federal
government’s efforts in identifying, protecting against, and
responding to threats to cybersecurity and privacy.  The Order
indicates that this will involve collaborating with the private
sector and making bold and significant investments to protect
American infrastructure and institutions.  Importantly, the
Executive Order:

  • removes barriers for information sharing related to cyber
    threats. Information Technology (“IT”) and Operational
    Technology (“OT”) service providers have unique access to
    and insight on cyber threats, but their contract terms often
    prevent them from sharing information about these threats with the
    executive departments and agencies that oversee cybersecurity and
    investigate cyber threats, including the Cybersecurity and
    Infrastructure Security Agency (“CISA”),
    the FBI, and other agencies;

  • eliminates contractual barriers and requires the service
    providers to report cyber incidents to agencies to promote
    information sharing and improve the effectiveness of oversight by
    these agencies;

  • includes steps to modernize the federal government’s
    cybersecurity by requiring agencies to transition to secured
    cloud-based technologies;

  • provides that the Director of the Office of Management and
    Budget, the Secretary of CISA, and the Federal Risk and
    Authorization Management Program will collaborate to develop a
    cloud-security strategy and provide guidance to agencies on use of
    cloud-based services going forward;

  • establishes a plan to enhance software supply chain security
    whereby the Secretary of Commerce will work with the federal
    government, private sector, and academia to identify and develop
    standards, tools, and best practices to enhance security of the
    software supply chain and to ensure certain data from software
    developers is available for review by the government;

  • authorizes the Secretary of Homeland Security, in consultation
    with the U.S. Attorney General, to establish the Cyber Safety
    Review Board (“Board”) comprised of public- and
    private-sector officials, including representatives from the
    Department of Defense, the Department of Justice, CISA, the
    National Security Agency, and the FBI;

  • creates a standard playbook for responding to cyber incidents
    and attacks to standardize response procedures across the federal
    government and to ensure a more coordinated, streamlined, and
    transparent response to cyber incidents and attacks;

  • improves detection of cybersecurity incidents on federal
    government networks to enable a government-wide endpoint detection
    and response system and improve information sharing and maximize
    early detection of vulnerabilities; and

  • improves investigative and remediation capabilities by
    authorizing the Secretary of Homeland Security to aid in the
    development of a log for cyber incidents and attacks that will
    enhance the ability for agencies to detect intrusions and
    vulnerabilities and to react to threats more efficiently.

TSA Security Directive

A small staff within TSA oversees the security of millions of
miles of U.S. gas and oil pipelines.  TSA’s oversight
includes both physical and cyber security for pipelines.  In
the past, TSA was primarily focused on the physical security of
pipelines, although it did release voluntary guidelines on cybersecurity in
2002, most recently updated in 2018 (“TSA
Guidelines”).  In light of the Colonial Pipeline attack,
however, TSA has shifted its focus towards cybersecurity issues.
 On May 27, 2021, TSA released the Directive, which requires
three specific actions from pipelines to enhance cyber
security.

TSA’s Directive:

  • requires pipeline operators to report cyber incidents and
    attacks to TSA and CISA “as soon as practicable,” but at
    least within 12 hours of an attack; reportable incidents include
    malicious software and unauthorized access to IT/OT systems and
    physical attacks on the network structure;

  • requires pipeline operators to designate a primary and
    alternate Cybersecurity Coordinator and provide their information
    to TSA within seven days of the Directive as to who will serve as
    the primary contact for cyber-related intelligence and activities
    with TSA and CISA and must be accessible to these agencies
    twenty-four hours a day, seven days a week; and

  • requires pipeline operators to review and assess their current
    cyber practices and activities against the voluntary TSA Guidelines
    to identify security gaps and potential remediation methods.

In the coming weeks, TSA anticipates releasing additional
robust, mandatory rules, including steps to safeguard assets and
required actions in the event of an attack.  These rules will
likely include fines for violations.

Impacts of These Regulatory Changes

While the Executive Order includes many standards and
requirements for the federal government, the reach of the Order is
actually quite narrow, as it only applies to the federal government
and federal government contractors and suppliers.  Because the
vast majority of energy infrastructure within the U.S. is owned and
operated by private sector actors, those companies will not be
subject to these requirements.

Unlike the Order, the TSA Directive directly addresses
vulnerabilities in cybersecurity within the energy sector.
 The Directive and upcoming mandatory rules mark a substantial
shift in the relationship TSA has had with pipelines in the past,
which was defined by voluntary participation and cooperation,
rather than mandated rules.  Many industry actors are wary of
the change and would prefer to see a more conservative, cautious
approach to developing regulations, citing concerns about
overlapping and conflicting regulations coming from TSA and the
Department of Energy.  However, the Biden Administration, as
well as many in Congress, have signaled a strong preference for the
swift implementation of stricter, mandatory regulations to protect
infrastructure.  The Chair of the Federal Energy Regulatory
Commission (“FERC”) also supports holding gas assets to
the same standards as electric grid
companies.

While the government and gas industry debate about the best
approach to oversight and regulation, there is one clear issue with
the upcoming TSA rules: enforcement.  In 2019, TSA only had
five staff that handled pipeline security, but the U.S. has over
2.7 million miles of pipeline, and over 3,000 companies who work in
the industry.  The Department of Homeland Security
(“DSA”), which houses TSA and CISA, has indicated it
intends to hire at both agencies to ensure proper staffing to
enforce these regulatory changes.  While there may be some
bumps in the road as new rules are implemented and dozens of new
DHS staff are on-boarded to oversee these rules, it is a critical
first step to creating a more comprehensive regulatory scheme.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

thirty four − = twenty eight