TSA issues second directive for pipeline operators amid China concerns
The US Transportation Security Administration (TSA) Tuesday issued a directive requiring oil pipeline operators to implement specific measures to protect against ransomware and other threats to their business and operational technology (OT) networks.
The directive is the TSA’s second for oil pipeline operators in the last two months and is a sign of the heightened concerns over critical cyber vulnerabilities in US oil and gas infrastructure following the crippling ransomware attack on Colonial Pipeline in May. That attack — attributed to a Russia-linked group called DarkSide — shut down some 5,500 miles of pipeline and caused temporary oil shortages across large parts of the US eastern and southern coasts.
The new directive from the TSA also appears linked to growing concerns about the threat to US critical infrastructure from cyber-threat groups backed by the Chinese government. Just this week, the Biden White House publicly accused China’s Ministry of State Security (MSS) of using criminal hackers to carry out cyber-espionage campaigns and destructive attacks against US commercial, government, and critical infrastructure targets.
And on Tuesday —timed with the TSA advisory — the US Cybersecurity and Infrastructure Agency (CISA) issued an alert on a Chinese spear-phishing and cyber-intrusion campaign between 2011 and 2013 that targeted 23 US gas pipeline operators. Thirteen of those organizations were compromised, three had near misses, and eight of them experienced an “unknown depth of intrusion,” CISA said. Its alert provided technical details and indicators of compromise about the tactics, techniques, and procedures (TTPs) that the Chinese threat actors used in that campaign and mitigation measures against them.
“CISA and FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations,” the CISA advisory noted.
The Department of Homeland Security — of which the TSA is a part — did not offer specifics of the new requirements announced this week for pipeline operators. In a statement, the agency described the directive as aimed at “owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas.” These entities will now be required to implement specific mitigation measures against ransomware attacks and other known threats to their IT and OT networks. They will also be required to implement a contingency and recovery plan for cyberattacks and conduct a security architecture review. TSA’s first directive in May required pipeline operators to report all cyberattacks, bolster incident response capabilities, conduct a threat assessment, and develop a cybersecurity plan based on the results of that review.
The DHS said the latest requirements were drafted based on input from CISA about cyber threats to the pipeline industry and the technical measures for countering them.
To read the complete article, visit Dark Reading.