D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast’s fuel supply this month — an incident that highlighted the vulnerability of critical infrastructure to online attacks.
The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
The ransomware attack that led Colonial Pipeline to shutter its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation’s capital. Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel. Colonial’s chief executive has said the company paid $4.4 million to foreign hackers to release its systems.
Colonial Pipeline CEO says paying $4.4 million ransom was ‘the right thing to do for the country’
The cyberattack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.
Gas stations in the Southeastern U.S. saw long lines on May 10, as Colonial Pipeline tries to restore operations following a ransomware attack. (The Washington Post)
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes — or ensuring they do not fail.
TSA, though, mostly focused on physical security of pipelines, safeguarding them against terrorist attacks or sabotage. It was only in 2010 that the first set of cyber-related guidelines was issued. The guidelines were updated in 2018 but still fall far short of what many experts say is needed.
Most critical infrastructure sectors — whether dams, health care or wastewater systems — do not have mandatory cyber standards. A handful do, including bulk electric power and nuclear plants. A congressional effort to institute mandatory requirements in 2012 failed in the face of strong U.S. Chamber of Commerce opposition.
That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes — or ensuring they do not fail.
TSA, though, mostly focused on physical security of pipelines, safeguarding them against terrorist attacks or sabotage. It was only in 2010 that the first set of cyber-related guidelines was issued. The guidelines were updated in 2018 but still fall far short of what many experts say is needed.
Most critical infrastructure sectors — whether dams, health care or wastewater systems — do not have mandatory cyber standards. A handful do, including bulk electric power and nuclear plants. A congressional effort to institute mandatory requirements in 2012 failed in the face of strong U.S. Chamber of Commerce opposition.
The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past.
The ransomware attack that led Colonial Pipeline to shutter its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation’s capital. Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel. Colonial’s chief executive has said the company paid $4.4 million to foreign hackers to release its systems.
Colonial Pipeline CEO says paying $4.4 million ransom was ‘the right thing to do for the country’
The cyberattack spurred DHS Secretary Alejandro Mayorkas and other top officials to consider how they could use existing TSA powers to bring change to the industry, said the officials.
Gas stations in the Southeastern U.S. saw long lines on May 10, as Colonial Pipeline tries to restore operations following a ransomware attack. (The Washington Post)
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS spokeswoman Sarah Peck said in a statement. “TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”
That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes — or ensuring they do not fail.
TSA, though, mostly focused on physical security of pipelines, safeguarding them against terrorist attacks or sabotage. It was only in 2010 that the first set of cyber-related guidelines was issued. The guidelines were updated in 2018 but still fall far short of what many experts say is needed.
Most critical infrastructure sectors — whether dams, health care or wastewater systems — do not have mandatory cyber standards. A handful do, including bulk electric power and nuclear plants. A congressional effort to institute mandatory requirements in 2012 failed in the face of strong U.S. Chamber of Commerce opposition.
That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation — whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes — or ensuring they do not fail.
TSA, though, mostly focused on physical security of pipelines, safeguarding them against terrorist attacks or sabotage. It was only in 2010 that the first set of cyber-related guidelines was issued. The guidelines were updated in 2018 but still fall far short of what many experts say is needed.
Most critical infrastructure sectors — whether dams, health care or wastewater systems — do not have mandatory cyber standards. A handful do, including bulk electric power and nuclear plants. A congressional effort to institute mandatory requirements in 2012 failed in the face of strong U.S. Chamber of Commerce opposition.