Pipeline Companies – Ready for June 28, 2021?
First, “hats off” to the publicists for Colonial Pipeline. These people deserve a bonus, perhaps from the $2.3M recovered (out of the $4.4M in paid ransom) from DarkSide by the Department of Justice. Despite causing a temporary national gasoline shortage (more of an overreaction), the company’s faultless victimhood went unquestioned until very recently. Second, are the pipeline companies ready to demonstrate compliance with the new Security Directive Pipeline-2021-01 by June 28, 2021?
Pipeline owner/operators are, de facto, required to complete a full comparison between their current cybersecurity and infosec practices and the 2018 NIST Standards in just 30 days – for both their operational systems and information technology systems (we all hope these networks are segregated). For anyone exclaiming, “that’s not in the directive!?!” Let’s back-up and demonstrate and that yes, the comparison requirement is in the Security Directive.
The Transportation Security Administration (TSA), the same agency that employs airport security personnel, started regulating pipelines and certain security measures in 2001. With the release of the National Institute of Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” TSA’s March 2018 Pipeline Security Guidelines incorporated the NIST framework in its Section 7, entitled “Pipeline Cyber Asset Security Measures.”
However, TSA’s inclusion of the NIST standards in its Pipeline Security Guidelines (updated in April 2021 – a month before the Colonial Pipeline cyber-attack) faltered by using the word “should” instead of “shall.” In Section 7.1, the 2018 guidelines stated as follows: “To implement an effective cybersecurity strategy, pipeline operators should consider the approach outlined in the NIST Framework and the guidance issued by DHS and the Department of Energy along with industry-specific or other established methodologies, standards, and best practices[.]”
Any decent lawyer will advise that the word “should” equates to “encouraged, but not required.” That said, there is definitely room for negligence liability when “should” recommendations are ignored.
TSA’s new Security Directive Pipeline-2021-01 brings some teeth by making NIST standards MANDATORY. Issued on May 27, 2021 and effective on May 28, 2021, the Security Directive creates 3 main requirements:
1. Pipeline Owner/Operators MUST report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of the incident via CISA's Reporting System form at: https://uscert.cisa.gov/forms/report or by calling (888) 282-0870. Qualifying cybersecurity incidents include the following: unauthorized access incidents, malware, denial of service attacks, physical attacks, or events that adversely affect transportation of necessary chemicals, etc. The reports to CISA also require certain minimum information items listed in the directive.
2. Pipeline Owner/Operators MUST designate a Cybersecurity Coordinator and an alternate coordinator, both of whom are required to be available to TSA and CISA 24/7 to address incident and cybersecurity practice issues at the behest of CISA and the TSA. Each cybersecurity coordinator and alternate must be a U.S. citizen, eligible or have a federal security clearance, and be willing to provide every available item of contact information to multiple government agencies (not like they do not have it already).
3. Pipeline Owner/Operators must review their current activities against Section 7 of TSA’s 2018 Pipeline Security Guidelines (NIST Standards) and to assess their own cybersecurity risks, identify cybersecurity gaps, plan gap remediation measures, and report the same to TSA within 30 days of May 28, 2021, on a prescribed security assessment form. TSA also wants to see an implementation timeline of the remediation efforts after the company completes its comparison between its current cybersecurity protocols and the cybersecurity guidelines set forth in Section 7 of TSA’s 2018 Pipeline Security Guidelines (again, all of which are straight from NIST’s 2018 publication).
So, to the extent any owner/operator has not already hired a CISO/CIO/CSO/MSSP and/or is not already following some form of a NIST cybersecurity best practices process, the clock is ticking.
While Colonial Pipeline argues that it performed a substantial service in paying the initial ransom to DarkSide in order to resume operations and stop the gas shortage, its delay and reluctance to welcome certain government agencies into the information sharing and remediation process following the ransomware attack likely contributed to the immediate issuance of the current directive. No doubt Mandiant/FireEye is an extremely competent vendor, but with information regarding cyber-attacks, follow your kindergarten teacher’s advice: sharing = caring.