US To Issue Cyber Protection Rules For Pipelines After Colonial Hack

The United States has reacted to the wake up call about the need to protect critical infrastructure, following the Colonial Pipeline cyberattack.

A unit within the Department of Homeland Security (DHS), the Transportation Security Administration has reportedly said it will this week issue its first security directive requiring pipeline operators to report cyber incidents to federal authorities.

The move comes after critical infrastructure in the US was exposed when on Friday 7 May a major pipeline (Colonial Pipeline) was attacked by hacker group DarkSide, causing widespread fuel shortages on the US east coast.

Colonial attack

Indeed, so serious was the attack that the US government engaged emergency powers and US President Joe Biden received “personal briefings” about the cyberattack.

The Colonial Pipeline runs between Texas and New Jersey and is 5,500 mile long.

It carries 2.5 million barrels a day, which translates to 45 percent of the fuel supply for the US East Coast. It includes diesel, petrol and jet fuel.

It serves 90 US military installations and 26 oil refineries, as well as Atlanta airport – a busy regional airhub for America.

The devastation after the attack caused DarkSide, a criminal gang located in either Russia or Eastern Europe, to publicly declare they were not carrying out the attack for political purposes, but rather were just seeking to make money.

The CEO of Colonial last week confirmed he had authorised the ransom payment of $4.4 million (75 Bitcoin), because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.

Mandatory rules

Besides the reporting of a cyber attack, pipeline operators will in the following weeks also be faced with a more robust set of mandatory rules for safeguarding their systems against cyberattacks and the steps they should take if they are hacked, the Washington Post reported.

The agency has apparently offered only voluntary guidelines in the past.

“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck was quoted by the Post as saying in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

There is concern that other critical infrastructure sectors such as dams, health care or wastewater systems – do not have mandatory cyber standards.

In February officials of the US city of Oldsmar in Florida confirmed a hacker had gained access to the water system of the city and tried to pump in a “dangerous” amount of a chemical.

The new rules, expected in the coming weeks, will require companies to correct any problems and address shortcomings or face financial penalties, officials reportedly said.

Unsecured infrastructure

They will represent a marked shift for TSA, the Washington Post reported, as the TSA has previously relied on collaboration with, rather than mandatory requirements on, pipeline companies.

There are reportedly more than 2.7 million miles of pipelines in the United States. Roughly 216,000 miles carry hazardous liquids including crude oil, diesel fuel, gasoline and jet fuel.

Currently there are more than 3,000 pipeline companies in the US.

In February 2020 a natural gas pipeline in the US was shut down for two days after a ransomware attack.