The Colonial Pipeline ransomware attack earlier this month crippled the East Coast’s fuel supply and highlighted how critical infrastructure in the U.S. remains vulnerable to cyberattacks. Today, the Department of Homeland Security introduced new cybersecurity guidelines to regulate the pipeline industry. While this is the first time that DHS has established mandatory cyber regulations for pipeline companies, we can look to existing cyber regulations in the energy sector to anticipate what the DHS will now require.
The first directive from DHS requires pipeline companies to report cyber incidents when they occur and, according to the Washington Post, will be followed by “a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked.”
So, what will these more robust rules look like? The new pipeline regulations could be largely based on the existing North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations designed to prevent and mitigate cyberattacks against the electrical grid. Alternatively, they could adopt the DOT pipeline regulations which are already in affect but are currently optional. With this in mind, pipeline companies should prepare for the additional new regulations in the following ways:
- Build infrastructure for transparent and efficient incident reporting
The new DHS will now require pipeline companies to not only alert the federal government to cyber incidents but have a senior cyber official, such as a CISO, who will have a “24/7 direct line to TSA and CISA to report an attack.” Pipeline companies will now need to be ready to gather information quickly in order to share it with TSA and CISA and that requires putting plans in place now.
- Don’t rely on antiquated cyber solutions and start the move to SASE
The world is in the cloud and the same goes for pipeline companies. With thousands of miles of pipelines shipping oil and gas up and down the country, the workforces of these companies are equally dispersed. With remote offices and workers and an increasing reliance on cloud applications for work, on-prem and appliance-based network security is no longer an effective solution. The castle and moat approach simply doesn’t work for organizations that have workers all around the country. Pipeline companies, and others with remote workforces, should start the switch to SASE now to ensure both security and connectivity.
- Implement Zero Trust now
Existing NERC CIP rules don’t require Zero Trust but changes to the requirements in recent years have enabled companies to implement a Zero Trust approach. The pending pipeline rules will likely be even more forward thinking than NERC CIP so we can expect Zero Trust will be a fundamental aspect to the new requirements.
It’s important for pipeline companies to get ahead of the requirements because if they are anything like NERC CIP, they will also come with hefty fines that can reach up to $1 million per day — a good incentive to start modernizing their cybersecurity architecture!