The Department of Homeland Security (DHS) will issue a directive later this week requiring all pipeline companies to report cybersecurity incidents to federal authorities. The directive comes two weeks after Colonial Pipeline, which operates the biggest gasoline conduit to the East Coast, was forced to shut down its 5,500-mile pipeline after a devastating ransomware attack.

The Washington Post first reported that DHS's Transportation Security Administration (TSA) will be issuing the directive this week. A spokesperson for DHS told The Hill in an emailed statement Tuesday that “the Biden administration is taking further action to better secure our nation’s critical infrastructure,” with TSA and the federal Cybersecurity and Infrastructure Security Agency (CISA) working together on the issue. It will follow up in coming weeks with strict rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. 

“TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead,” the spokesperson said.

"Unless the federal government is appointing a new regulatory lead or new enforcement mechanisms, this regulation already exists, specifically for oil or gas refineries as defined within Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act," says Monti Knode, Director of Customer & Partner Success at Horizon3.AI, a continuous automated security assessment and validation company. "Reporting is one aspect - and they may even be exempt from public disclosure - but what we need is clear guidance related to ransomware and extortion and how much decision space private industry retains when they are considered "covered critical infrastructure." 

The Colonial Pipeline cyberattack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, "It’s unfortunate that it took a ransomware attack of this scale to get updated regulations in place, but it does show how important it is to keep all security standards up to date with modern attack types."

TSA’s new security directive will require pipeline companies to report cyber incidents to TSA and CISA and to have a cyber official — such as a chief information security officer — with a 24/7 direct line to TSA and CISA to report an attack, the Post reports. It will also require companies to assess the security of their systems as measured against existing cyber guidelines; fixing any gaps is currently voluntary.

A senior DHS official, according to the Post, said, "“This is a first step, and the department views it as a first step, and it will be followed by a much more robust directive that puts in place meaningful requirements that are meant to be durable and flexible as technology changes."
 
The Post reports that the new rules, expected in the coming weeks, will require companies to correct any problems and address shortcomings or face financial penalties, officials said, and they will represent a marked shift for TSA, which has relied on collaboration with, rather than mandatory requirements on, pipeline companies.

Tyler Shields, CMO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, says, "It is always significant when a government group or organization puts out new regulations or mandates. The efficacy of the regulation typically comes down to the impact of failure on the organization - e.g does the regulation have teeth. This particular regulation should have a positive impact on security at pipeline companies due to the downside of failure being both financially and brand significant. Government fines and other damages are a strong incentive for security improvement".

However, critics like Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, argue, that "the risk of regulatory action is always overreach, a disconnect between the regulatory requirements and the desired outcomes, the law of unintended consequences, and the introduction or perpetuation of a framework that long outlives its usefulness.  In this particular case, however, it often feels like we’re talking about a wild west that lacks basic security maturity and has ignored at least a decade of credible alarm bells. In light of that, these risks are almost certainly acceptable relative to the greater risk of prolonging inaction against the threats critical infrastructure faces.

John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, also agrees. "As we have seen, pipelines are critical infrastructure that can lead to real problems if they are disrupted. Notification to the federal government of cyberattacks is less significant than whatever protective regulations they issue, but the facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached. A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing the future incidents."

Schless adds, "Implementing new regulations could be very effective in the battle against cybercriminals so long as organizations actually take action to align with them. It takes time and resources to align with new regulations, but this should at least serve as motivation for similar companies to get the ball rolling. In order to protect themselves, organizations in every industry need to implement a philosophy of Zero Trust across their entire infrastructure. This is the only way to ensure that only healthy devices and legitimate users are accessing your internal resources. Without it, you have no way of knowing whether a particular device, network, or employee account has been compromised."

iboss Vice President of Research and Intelligence, Jim Gogolinski, who helped discover the infamous Sandworm, predicts swift compliance based on the potential for fines as much as $1 million per day for businesses that don't comply. "The pending directive will likely be modeled after the existing NERC CIP standards that are designed to prevent and mitigate attacks against critical electrical infrastructure. Reporting is obviously a key part of that but so are security protocols, system management, and personnel training. The NERC CIP standards are followed closely because fines for not complying can reach as high as $1 million per day per violation. If the new pipeline directive includes similar fines, we would expect to see swift efforts by the industry to come into compliance."