Nearly two months after issuing its first directive aimed at shoring up the cybersecurity of the nation’s pipeline industry, the Transportation Security Administration on Tuesday issued another security directive, this time requiring owners and operators of pipelines to take specific measures to protect against cyber threats.
The Department of Homeland Security said its Cybersecurity and Infrastructure Security Agency has advised TSA on cyber threats to the pipeline industry and provided technical countermeasures to prevent those threats.
The second directive “requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
The mitigation measures are required to be completed within a certain time period, TSA said. The specific measures aren’t being publicly released as they are security sensitive.
The agency also said that the architecture design review will test the effectiveness of cybersecurity practices and that the development and implementation of a contingency and recovery plan “ensures prompt isolation of infected systems, prompt segregation of infected computers and other devices, and up-to-date backups of critical information systems.”
A TSA official in June telegraphed the latest security directive during a House hearing. Sonya Proctor, assistant administrator for surface operations at the agency, told a homeland security panel that the then forthcoming second directive would require more specific mitigation measures and have more specific requirements for assessments (Defense Daily, June 16).
“Through this security directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Homeland Security Secretary Alejandro Mayorkas said in a statement on Tuesday.
The first security directive was issued in late May following a ransomware attack by a Russia-based cybercrime group on East Coast pipeline operator Colonial Pipeline’s information technology systems. To prevent the attack from migrating to its operational control systems, Colonial Pipeline shut down its pipeline operations, resulting in widespread gasoline shortages in the Eastern U.S. and demonstrating the fragility of at least one industry critical to the everyday functioning of the nation.
The May directive contained four specific requirements for the pipeline industry, including requiring owners and operators to report potential and confirmed cybersecurity incidents to DHS, review current plans, assess and identify gaps and remediation measures, and designate a point person to be available around-the-clock to cybersecurity coordination efforts (Defense Daily, May 27). The directive is in effect for one year.