The new mitigation requirements come as the U.S. attributes a past effort to hack U.S. pipeline infrastructure to a Chinese state-sponsored group.
Fuel pipeline operators will have to institute measures to guard against ransomware attacks and other known cybersecurity threats under a new directive issued Tuesday by the Transportation Security Administration.
This is the second directive issued by TSA in the wake of the ransomware attack on Colonial Pipeline's business IT systems in May, which led to the suspension of pipeline operations for about a week.
The first directive, issued May 27, instituted mandatory reporting requirements covering "confirmed and potential" cybersecurity incidents at pipeline operators. The second directive, which was previewed in a congressional hearing in June, requires operators of pipelines designated by TSA as critical to implement mitigation measures against known threats to IT and operational technology systems and establish plans to recover from a cyberattack and review their current "cybersecurity architecture design."
At the June hearing, Sonya Proctor, the assistant administrator for surface operations at TSA, said that the directive would be a "security sensitive information" document and not released in full to the public and "will be rather prescriptive in terms of the mitigation measures required."
The stakes are high. While the Colonial ransomware attack turned out to be the work of a criminal hacker group , the FBI and the Cybersecurity and Infrastructure Security Agency released new details on July 20 of a spearphishing campaign conducted between 2011 and 2013 that targeted oil and natural gas pipeline companies, and attributed the attack to a group linked to the Chinese military. News reports at the time indicated that federal officials regarded China as the culprit in these intrusions.
The report states that "China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies," and that the campaign was "likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft."
The attribution of this campaign to China is a piece of a larger effort by the U.S. and N.A.T.O allies to publicize and potentially deter what the White House characterizes as China's "irresponsible and destabilizing behavior in cyberspace." This effort includes the attribution of a hack of Microsoft Exchange servers to Chinese state-sponsored actors.
A spokesperson for China's foreign ministry dismissed the White House and N.A.T.O. push as an effort to "smear and suppress China to serve political purposes."
TSA's own role in regulating cybersecurity of liquid fuel and natural gas pipelines, a task that may seem out of step with its primary function of conducting security screenings of air passengers, is taking on new urgency since the Colonial Pipeline hack and the overall threat environment.
Richard Glick, the chairman of the Federal Energy Regulatory Commission who had called for more mandatory regulation of pipeline cybersecurity after the Colonial Pipeline hack, applauded the move by TSA.
"I'm pleased to see today’s steps, including mandatory standards, by TSA to protect the safety of our nation's critical energy infrastructure," Glick said in an emailed statement to FCW.
Some in Congress have pushed for the TSA's role in pipeline cybersecurity to be taken over by CISA or by the Department of Energy. A bipartisan bill that recently passed by the House Energy and Commerce Committee calls on the Energy Department to lead in coordinating security and resiliency of pipeline industry assets. The bill tasks DOE with coordinating federal, state and local response to cyber incidents affecting the energy sector.
Karen Evans, who headed the Energy Department's Cybersecurity, Energy Security and Emergency Response office during the Trump administration and has served as DHS CIO, defended the current arrangement in a May 12 FCW article.
"It makes sense if you work it from the inside," Evans said. "There's a bunch of other things that come into play, not just cyber."