WASHINGTON (CN) — The U.S. Department of Homeland Security issued a second directive Tuesday aimed at boosting the cybersecurity of the nation’s natural gas pipeline network.
The new rules come in the wake of a cyberattack on the Colonial Pipeline network in May that devastated the nation’s energy supply. The attack is believed to have been carried out by DarkSide, an Eastern European hacking group which coordinates attacks from Russia.
Colonial confirmed in late May that it paid a $4.4 million ransom to get the nation's largest fuel pipeline back online, but the break in service crippled parts of the country as consumers panicked and gas flows to local stations slowed to a trickle, especially in the South.
“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Homeland Security Secretary Alejandro N. Mayorkas said in a statement announcing the new directives.
While DHS did not disclose specifics for national security reasons, the new directives include requiring pipeline owners and operators of agency-designated critical pipelines to implement “specific mitigation measures” to ward off ransomware attacks like the one used against Colonial.
The new rules, authorized under the Transportation Security Administration, which has overseen pipeline security since 2002, also require pipeline companies to “develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
“Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Mayorkas added, saying such public-private partnerships are critical to ensure the security of the nation’s energy network.
The new requirements add to an initial directive issued shortly after the Colonial attack which requires pipeline companies to conduct a cybersecurity assessment, report confirmed and potential attacks, and designate an always-available cybersecurity coordinator.
The second directive also follows a June Senate hearing in which Colonial CEO Joseph Blount faced tough questions from regulators. The hearing repeatedly turned to questions about who authorized the ransom payment, despite the Department of Justice’s successful recovery of about half the funds.
Senator Rob Portman, an Ohio Republican, asked Blount when the money was officially sent to hackers. Blount responded that the payment was made the day after the cyberattack, but he said he was unclear on what the federal government's advice on the matter was, saying he wasn't personally in contact with FBI agents.
“So, their official position is you shouldn’t pay ransoms and yet they didn’t communicate that to you as far as you know?” Portman asked.
“I was not in that conversation, I can’t confirm or deny that,” Blount said. “But I do agree that their position is they don’t encourage the payment of ransom. It is a company decision to make,” adding he thought handing over the ransom was in the best interest of the country because of its reliance on Colonial's pipeline system.
Suzanne Lemieux, manager of operations security and emergency response for the American Petroleum Institute, said in an emailed statement Tuesday that the industry is supportive of the effort to boost pipeline security, emphasizing the need to strengthen the “capability and maturity of our nation’s critical infrastructure.”
“[We] look forward to working with DHS to ensure operational continuity as they move toward implementation of this directive,” she added.
Still, some experts outside the industry remain skeptical about regulating the security of pipeline companies.
Howard Goldberg and Marissa Morte with the Boston-based law firm of Manning Gross + Massenburg wrote earlier this week in The Legal Intelligencer that other parts of the energy sector are more clearly regulated and have long had security - and cybersecurity - mandates, but argued the TSA directive for pipeline companies could leave room for regulatory error.
“Regulators and legislators alike have questioned whether the TSA has the necessary expertise to regulate the millions of miles of oil and gas pipeline in the United States,” the lawyers wrote, arguing the agency's pipeline security team is understaffed with as few as one security staffer to regulate and assist more than 3,000 pipeline companies, according to a 2014 assessment,
But they also praised the efforts from President Joe Biden and Congress, including the May directive which stressed cooperation between the private sector and public agencies.
“Business buy-in is crucial to the success of these security efforts,” Goldberg and Morte wrote, suggesting more action from Congress could help clarify agency responsibility going forward. “As DHS imposes new cybersecurity regulations on utility companies, it is reasonable to speculate whether those new guidelines will also affect the electric grid.”
“The federal government must take care not to impose conflicting regulations that could result in overly restrictive and burdensome demands on the private sector,” they added.
Follow @@BradKutner
Subscribe to Closing Arguments
Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.
Additional Reads
-
-
Head of Vietnam’s parliament resigns amid corruption probe April 26, 2024