Editorial: When less is no longer more

Aug. 2, 2021

In the wake of the May 7, 2021, ransomware attack on Colonial Pipeline Co., much discussion has occurred both inside and outside the industry regarding what should be done. Some suggest more regulation is the only suitable answer. Others believe companies should continue to be left to address cybersecurity on their own, aligning efforts when they see fit but pursuing the matter unilaterally otherwise.

The Department of Homeland Security’s (DHS) Transportation Security Administration (TSA), formed in 2001, first published voluntary cybersecurity guidelines in 2011, revising them 7 years later. In the immediate aftermath of the attack on Colonial, however, TSA issued a security directive requiring owners and operators of pipelines designated as critical to report confirmed and potential cybersecurity incidents to DHS’s Cybersecurity and Infrastructure Security Agency (CISA), designate a cybersecurity coordinator to be available 24 hours a day, 7 days a week, review current practices, and identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

The agency had not previously issued cybersecurity mandates for pipelines despite having the authority to do so and having done so for US power plants. But the North American pipeline system’s recently exposed vulnerabilities, including revelations that Chinese government hackers infiltrated more than 12 operators almost 10 years ago, have rekindled concerns that more prescriptive action might be required. According to details released by CISA and the Federal Bureau of Investigation (FBI), “China was successful in accessing the supervisory control and data acquisition networks at several US natural gas pipeline companies” and “intended to gain strategic access to the ICS (industrial control system) networks for future operations rather than for intellectual property theft.”

CISA and FBI further assessed that Chinese state-sponsored actors compromised various authorized remote access channels, including systems designed to transfer data or allow access between corporate and ICS networks. With this access, the Chinese state-sponsored actors could have impersonated legitimate system operators to conduct unauthorized operations. Chinese actors also gained information specific to dial-up access, including phone numbers, usernames, and passwords, the agencies said. Though these have almost certainly changed in the meantime, CISA and FBI caution that “dial-up modems continue to be prevalent in the energy sector, providing direct access into the ICS environment with little or no security and no monitoring, which makes them an optimal vector for hold-at-risk operations. Exfiltrated data provided the capabilities for the Chinese cyber actors to access…operational systems at a level where they could potentially conduct unauthorized operations.”

On July 20, TSA issued a second post-Colonial directive requiring the same pipeline operators implement additional protections against cyber intrusions, describing the desired outcome as a public-private partnership. The new directive requires pipeline companies to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.

These steps, particularly in their reporting aspects, auger a new level of federal government involvement in pipeline operations. Sonya Proctor, assistant administrator for surface operations at TSA, said the new directive was “rather prescriptive in terms of mitigation measures required.”

Pipeline operators should take whatever actions they can to keep their individual houses in order by full-scale and aggressive implementation of measures such as risk-based identity proofing, multifactor authentication, and recurrent training of personnel.

It is important that individual operators retain the ability to design systems that meet the needs of their specific operations. But as evidenced by the Colonial attack, and now revealed about Chinese actions, the stakes are too high and threats too constant and numerous for anything other than collective action to suffice. You can be certain that those acting to harm US infrastructure are not acting individually.