The Transportation Security Administration (TSA) announcement in May regarding new requirements for owners and operators of gas pipeline operators is an indication that the federal government is not going to take a light approach regarding cybersecurity. Rather than making recommendations they are issuing requirements.
The change follows the attack on Colonial Pipeline in mid-May that crippled nearly half of the fuel supply for the east coast. There have been previous attacks on other critical infrastructure in other countries like Saudi Arabia in 2018 and several attacks on critical infrastructure in the Ukraine, most recently in December 2016 when power was cut in parts of Kiev.
Clearly the risks to critical infrastructure have never been higher and the federal government is moving forward with new rules for all critical infrastructure as noted in this recent fact sheet.
So what should you do?
Plan to follow the rules just released by the TSA for gas companies because they will likely soon be applied to your industry:
Use a cybersecurity framework to provide a roadmap for fixing the problems or gaps that you discover from step 4. Using a framework will help you and your team prioritize and address the biggest risks first.
You should also consider joining the appropriate information sharing and analysis center (ISAC) for your industry. There is one for electricity called E-ISAC, plus others for industries like healthcare, financial services, communications, aviation, and chemicals. You can find more about them here at the national ISAC organization. If you need more help, contact the CBTS Security practice.
Read more from John Bruggeman:
Can you be ransomware-proof? Is that even possible?