DHS to announce cybersecurity regulations for pipelines
The Department of Homeland Security will issue new cybersecurity regulations on fuel and oil pipelines to prevent future cyber attacks like the one that crippled the Colonial Pipeline, senior DHS officials told the Washington Post.
Why it matters: The new directives on pipelines demonstrate the significance of the Colonial breach, since only a few vital infrastructure sectors — like bulk electric power and nuclear plants — have to follow federal cybersecurity regulations in event of an attack.
Details: The new regulations will be issued by the Transportation Security Administration (TSA), which is a part of DHS and handles pipeline security.
- Companies that manage pipelines will have to immediately report to TSA and the Cybersecurity and Infrastructure Security Agency if they are targeted by a cyber attack, according to the Post.
- The companies will also be required to hire a cyber official and routinely test the security of their computer systems and correct shortfalls.
- In the past, the federal government only offered voluntary guidelines to pipelines.
What they're saying: “The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck told the Post in a statement.
- “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems," she added.
The big picture: The ransomware attack against Colonial led to fuel shortages at gas stations in multiple states and could have significantly affected airlines, mass transit and oil refineries if the pipeline had been shutdown for a longer period of time.
- CEO of Colonial Pipeline Joseph Blount said last week that the company paid a ransom payment of $4.4 million to the cybercrime group responsible for the attack.
- The federal government has recommended that companies do not pay criminals during ransomware attempts over fears it would only encourage more groups to conduct future attacks.
Go deeper: The new digital extortion