DHS unveils second round of new pipeline security requirements

The U.S. Department of Homeland Security announced new security requirements Tuesday for Transportation Security Administration-designated critical oil and gas pipelines.

The new DHS directive follows May's high-profile ransomware attack against the Colonial Pipeline Co. that created multi-day fuel shortages in parts of the United States East Coast and led to Colonial paying a ransom of $4.4 million. Later in May, the DHS introduced the initial directive which preceded Tuesday's.

The May 27 directive required pipeline owners and operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and "to designate a "Cybersecurity Coordinator" that would be available 24 hours a day. It also added requirements for pipeline owners and operators to review their security practices and identify gaps as well as remediations.

The second directive, announced this week, expands on these obligations further, requiring pipeline owners and operators to "implement specific mitigation measures" to combat ransomware attacks and other IT and operational technology (OT) threats. Operators must also "implement a cybersecurity contingency and recovery plan and conduct a cybersecurity architecture design review," according to DHS' announcement.

"Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security," DHS Secretary Alejandro Mayorkas said in a statement. "Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience."

In addition to the new directive, a joint cybersecurity advisory by CISA and the FBI was released Tuesday that elaborated on and provided mitigations for multiple cyber-intrusion campaigns against industrial control systems (ICS), pipelines and other critical infrastructure that have been years-long in some cases.

Perhaps the most notable campaign discussed is one regarding a Chinese spear phishing and intrusion campaign against U.S. oil and natural gas pipeline companies that occurred from 2011 to 2013. The U.S. government identified 23 targets as part of the campaign, with 13 confirmed compromises, three "near misses" and eight with "an unknown depth of intrusion."

Threat actors apparently associated with the campaign also launched social engineering attacks in order to gain sensitive information from "asset owners" and presumably facilitate the spear phishing operation. One example the CISA alert provided was that one organization's network engineering department received calls about recent security practices while posing as an employee of a large security firm.

During a hearing for the House Committee on Energy and Commerce on Tuesday regarding cybersecurity threats, Dragos CEO Rob Lee said ransomware "is just one risk facing our infrastructure, and if anything highlights that if criminals can be successful in breaching and disrupting our OT environments, state actors will find much more success."

Lee also told the committee members that critical infrastructure companies are committed to improving their security postures and working with the government to fully achieve those goals. But he cautioned against burdening companies with too many requirements from different regulatory bodies, which can confuse and distract organizations.

"Whatever regulations manifest, they should be thought of together so that companies do not have overly burdensome requirements on them as we all try to achieve the same goal of security," he said.

Ben Miller, vice president of professional services and R&D at Dragos, told SearchSecurity in March that attacks on ICS and operational technology [OT] systems were on the rise and will "continually be increasing over time."

Security news director Rob Wright contributed to this report.

Alexander Culafi is a writer, journalist and podcaster based in Boston.