Hack prompts new security regulations for US pipelines

/in


WASHINGTON — The federal government will issue cybersecurity regulations in the coming days for U.S. pipeline operators following a ransomware attack that led to fuel shortages across much of the Eastern Seaboard.

The Transportation Security Administration, which oversees the nation’s network of pipelines, is expected to issue a security directive this week that will address some of the issues raised by the Colonial Pipeline shutdown, a U.S. official said Tuesday.

The directive will include a requirement that pipeline companies report cyber incidents to the federal government, said the official, speaking on condition of anonymity because the proposal has not yet been publicly released.

It addresses, to an extent, the ransomware attack that led to the shutdown of the pipeline this month, but it also reflects a broader Biden administration focus on cybersecurity after a series of damaging intrusions by overseas hackers.

The Department of Homeland Security declined to confirm any specifics of the pending directive, issuing a statement that said TSA and another component of the agency, the Cybersecurity and Infrastructure Agency, are working with private companies to address cyber threats. “The Biden Administration is taking further action to better secure our nation’s critical infrastructure,” it said.

The directive, first reported by The Washington Post, is expected to prompt concern, if not outright opposition, from private operators wary of increased government regulation.

The American Petroleum Institute, which represents the oil and gas industry, said in a statement that its members are working with the administration to develop reporting policies and that any new regulations should include “reciprocal information sharing and liability protections.”

Mark Montgomery, a senior fellow at the Foundation for the Defense of Democracies and former executive director of the congressionally mandated Cyberspace Solarium Commission, said federal officials have told him the pipeline order will have two stages.

The first will immediately mandate that any cybersecurity incidents are reported to the federal government, while the second, coming later, would require that pipeline companies…

Source…