On Monday, the Transportation Security Administration, a component of DHS, issued its second “security directive” for designated critical pipelines that transport hazardous liquids and natural gas.
“An attack like Colonial makes very clear that we simply cannot be that exposed — the grid, the supply of gasoline, the supply of food, the supply of water. Those things are so critical that the government is really pulling out all the stops,” said Padraic O’Reilly, pipeline and critical infrastructure cybersecurity risk adviser and co-founder at the cyber risk firm CyberSaint.
The latest directive will require pipeline companies to implement a number of “urgently needed” protections against cyber intrusions, including implementing a cybersecurity contingency and recovery plan and conducting a cybersecurity architecture design review, according to DHS.
“Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security,” Homeland Security Secretary Alejandro Mayorkas said in a statement.
TSA is responsible for transportation security, including hazardous material and pipeline security, and has guidelines in place for the industry. It has moved in recent months to mandate steps the industry must take to comply with the guidelines.
The latest directive focuses on changes to IT and operational technology operations for the top 100 US pipelines, according to an industry source.
While there have been guidelines in place for pipelines, “this is the first time TSA has required mandatory changes,” the source said.
There were some initial concerns, based on a draft directive, about the timeline to complete the requirements, the source said, adding that owners and operators are still assessing the final directive that was shared with the industry Monday.
“In certain operating environments, before you make any type of change, you need to test it in a test environment, to make sure that it’s not going to have any unintended consequences,” the source said. “And so that takes time.”
Unlike the first directive, the latest is designated as “security sensitive information” and, as a result, its “distribution will be limited to those with a need to know,” according to a DHS official. It applies only to owners and operators of hazardous liquid and natural gas pipelines and liquefied natural gas facilities that have been designated as critical by TSA, the official said, adding that those entities have been notified of their status.
Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales, speaking at a conference in Israel on Tuesday, called on government and private-sector leaders to collaborate internationally against the threat of ransomware and other cybersecurity challenges, saying that “cybersecurity can no longer be an afterthought.”
“Our adversaries are increasingly turning to cyberattacks to steal our secrets, disrupt our infrastructure, extort money from businesses, sow discord amongst our populations, or any other number of nefarious schemes,” he told an audience assembled at Tel Aviv University.
Wales encouraged cybersecurity practitioners to look to future threats.
“While over the past year I’m sure everyone can agree that it’s felt like we’ve just been putting out fires, today’s fires, we also know we need to address tomorrow’s risks, driving long-term change in a broader ecosystem,” he said.
In a coordinated announcement, the White House and governments in Europe and Asia identified China’s Ministry of State Security, the sprawling and secretive civilian intelligence agency, with using “criminal contract hackers” to conduct a range of destabilizing activities around the world for personal profit, including the Microsoft hack.
The administration also said China was behind a specific ransomware attack against a US target that a senior administration official said involved a “large ransom request” — and added that Chinese ransom demands have been in the “millions of dollars.”
“CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk,” according to the alert.
The federal government identified more than 20 US natural gas pipeline operators targeted during the two years.
This story has been updated with additional details.
CNN’s Brian Fung contributed to this report.