US Announces New Cybersecurity Requirements for Critical Pipeline Owners

July 21, 2021

WASHINGTON — The Department of Homeland Security on Tuesday required owners and operators of critical pipelines that transport hazardous liquids and natural gas to implement “urgently needed protections against cyber intrusions.”

It was the second security directive issued by the department’s Transportation Security Administration since May, after a hack of the Colonial Pipeline disrupted fuel supplies in the southeastern United States for days.

The department said the action was in response to “the ongoing cybersecurity threat to pipeline systems.”

“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” Secretary of Homeland Security Alejandro N. Mayorkas said in the statement.

The security directive requires TSA-designated critical pipelines to take certain mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review, DHS said.

A ransomware attack forced Colonial Pipeline, which runs from Texas to New Jersey, to shut much of its network for several days in May, leaving thousands of gas stations across the U.S. Southeast without fuel.

The closure of the 5,500-mile (8,900-km) system was the most disruptive cyberattack on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast

The Associated Press reported that Colonial paid an estimated $4.4 million ransom, most of which was eventually recovered by the Justice Department. The FBI has blamed the attack on a Russia-based gang of hackers using the DarkSide ransomware variant.

The Biden administration has repeatedly accused Russia of granting safe haven to criminal gangs and trying to steal from government agencies and private organizations in various sectors, the AP said. It imposed sanctions in April for a range of activities including hacking.

Russia has broadly denied being involved in cyberattacks of U.S. institutions, decrying “unfounded accusations” in a statement last month.