Cybersecurity

US Feds Offer Fresh Directive To Combat Cyberattacks on Pipelines

The FBI also released a security advisory and details regarding 23 attacks on oil and gas companies from December 2011 to 2013.

cybersecurity_hero_jul2021
DHS, TSA advises pipeline owners to implement specific mitigation measures to protect against cyberattacks.
Credit: Traitov/Getty Images/iStockphoto.

The US Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) has issued a second Security Directive related to the ongoing cybersecurity threat against pipeline systems that requires owners and operators of TSA-designated critical pipelines to implement several protections against cyber intrusions.

The second directive requires owners and operators of critical pipelines that transport hazardous liquids and natural gas to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.

“The lives and livelihoods of the American people depend on our collective ability to protect our nation’s critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyberthreats, and better protect our national and economic security. Public/private partnerships are critical to the security of every community across our country, and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

This directive builds upon an initial Security Directive that TSA issued in May 2021 following the ransomware attack on Colonial Pipeline. The May 2021 Security Directive requires critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA); (2) designate a cybersecurity coordinator to be available 24 hours a day, 7 days a week; (3) review current practices; and, (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to the TSA and CISA within 30 days.

“The new directive signifies that that the federal government recognizes self-regulation can only provide so much protection to these infrastructures and that it can vary wildly,” said Damon Small, oil and gas cybersecurity expert and technical director and consultant with NCC Group. “What’s missing from the Joint Cybersecurity Advisory released by the FBI and the DHS, and likely out-of-scope for such a publication, is how companies should implement the mitigations.”

Separately, the FBI and DHS issued a security advisory covering cyberattacks on 23 US natural gas pipeline operators by Chinese state-sponsored hackers. According to the advisory, the attacks occurred from December 2011 to 2013. Of the known targeted entities, 13 were confirmed compromises, three were near misses, and eight had an unknown depth of intrusion. The attackers used targeted emails to oil and gas employees in a tactic called spearphishing to convince workers to view malicious files. None of the companies were identified.

“Spearphishing and social engineering remain successful techniques on oil and gas as well as every other sector because they prey on the most vulnerable part of the technology stack—we humans that use that technology—or the ‘chair/keyboard interface,’ as I like to call it,” Small said. “The best firewalls, antivirus, patch management, and vulnerability assessment programs in the world won’t stop a bad guy if you invite them in.”

Social engineering tactics also were employed in several of the noted attacks. According to the CISA advisory, one asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices. Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a systemwide credential reset. The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices.