A new directive issued by the Transportation Security Administration requires fuel pipeline operators to institute mitigation and recovery measures to protect against ransomware attacks and other known cybersecurity threats.
This is the second directive issued by TSA in the wake of the ransomware attack on Colonial Pipeline’s business IT systems in May, which led to the suspension of pipeline operations for about a week.
On May 27, TSA issued its first directive, instituting mandatory reporting for “confirmed and potential” cybersecurity incidents at pipeline operators. This latest directive requires operators of pipelines designated by TSA as critical to review their current “cybersecurity architecture design,” implement mitigation measures against known threats to IT and operational technology systems and establish plans to recover from a cyberattack, TSA officials said in their announcement.
The details of the directive contain sensitive information and will not be released to the public, TSA officials said in June.
The stakes are high. While the Colonial ransomware attack turned out to be the work of a criminal hacker group, the FBI and the Cybersecurity and Infrastructure Security Agency released new details on July 20 of a spearphishing campaign conducted between 2011 and 2013 that targeted oil and natural gas pipeline companies, attributing the attack to a group linked to the Chinese military. News reports at the time indicated that federal officials regarded China as the culprit in these intrusions.
The report states that “China was successful in accessing the supervisory control and data acquisition (SCADA) networks at several U.S. natural gas pipeline companies,” and that the campaign was “likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft.”
A longer version of this article was first posted to FCW, a sibling site to GCN.