The Transportation Security Administration (TSA) announcement in May regarding new requirements for owners and operators of gas pipeline operators is an indication that the federal government is not going to take a light approach regarding cybersecurity. Rather than making recommendations they are issuing requirements.
The change follows the attack on Colonial Pipeline in mid-May that crippled nearly half of the fuel supply for the east coast. There have been previous attacks on other critical infrastructure in other countries like Saudi Arabia in 2018 and several attacks on critical infrastructure in the Ukraine, most recently in December 2016 when power was cut in parts of Kiev.
Clearly the risks to critical infrastructure have never been higher and the federal government is moving forward with new rules for all critical infrastructure as noted in this recent fact sheet.
So what should you do?
Plan to follow the rules just released by the TSA for gas companies because they will likely soon be applied to your industry:
- Appoint and identify, within seven days, a cyber coordinator (and a backup cyber coordinator) who is available to the Cybersecurity and Infrastructure Security Agency (CISA, part of the Department of Homeland Security) officials 24×7.
- Report all cyber intrusions to CISA within twelve hours of the incident.
- Develop and implement a contingency and recovery plan for cyber intrusions.
- Compare the plan with DHS standards, identify gaps, develop measures to fill them, and gain approval for them from the CISA.
Use a cybersecurity framework to provide a roadmap for fixing the problems or gaps that you discover from step 4. Using a framework will help you and your team prioritize and address the biggest risks first.
You should also consider joining the appropriate information sharing and analysis center (ISAC) for your industry. There is one for electricity called E-ISAC, plus others for industries like healthcare, financial services, communications, aviation, and chemicals. You can find more about them here at the national ISAC organization. If you need more help, contact the CBTS Security practice.
Read more from John Bruggeman: