DHS orders pipeline firms to report cyberattacks to government
In wake of Colonial Pipeline shutdown, agency requires companies to report attacks and face fines if they don't
The Department of Homeland Security issued a new directive Thursday that requires private operators of pipelines to report any cybersecurity incidents and attacks on their network to the Cybersecurity and Infrastructure Security Agency and asks the companies to appoint a cybersecurity coordinator.
"This is the first time that there's been [a] mandatory reporting" requirement that CISA has imposed on pipeline operators, a senior official of the Department of Homeland Security told reporters.
Pipeline operators also are required to conduct an assessment of how their cybersecurity practices match guidelines issued by the Transportation Security Administration, which is responsible for overseeing pipeline safety.
The assessment must be completed within 30 days and companies must specify how they would address any gaps they find between their practices and the guidelines, the official and others who spoke on the call said, speaking on the condition of anonymity.
"This reporting will put the government in a better position to have awareness early on about potential incidents that would not be limited to cyber incident response but may also require the government to create a mechanism to respond to the broader potential impact associated with it," one of the officials said.
Under the new requirement, companies that fail to notify CISA would face financial penalties starting at about $7,000, one of the officials said, adding that DHS would determine fines based on the nature of the attack and other circumstances.
Companies also must appoint a cybersecurity coordinator who would be "always available, 24/7, who can respond to incidents" and work with CISA, one of the officials said.
The mandatory reporting requirements come in the wake of a ransomware attack on Colonial Pipeline, a private company whose single largest owner is Koch Capital Investments Co. LLC , which has 28.09 percent ownership. The attack on the company's corporate network two weeks ago resulted in the company shutting down its network of pipelines transporting gasoline across the East Coast, which led to price hikes and severe shortages for a week.
The pipeline closure created a political backlash for the Biden administration as it scrambled to reassure motorists that supply would resume.
President Joe Biden has said the attack was carried out by a ransomware group named DarkSide that was operating out of Russia, although not linked to the Moscow government. The company paid a $4.4 million ransom to recover its data.
The company notified the FBI of the attack but did not inform CISA, which was included in the investigation only after the FBI asked the agency to do so.
CISA's acting director, Brandon Wales, has told Congress that the company's failure to notify and inform the agency of the details of the attack meant that other pipeline and critical infrastructure operators were left waiting in the dark to learn how to protect themselves from a similar attack.
While the FBI typically investigates a cyberattack, the job of understanding how an attack unfolded and alerting others to it falls to CISA.
Although the new order applies only to pipeline companies, several other critical sectors including dams, sewage and water treatment facilities, chemical facilities, utilities and others are not covered by the directive.
DHS is assessing whether other critical sectors with safety regulations and operations overseen by other federal agencies have cybersecurity reporting requirements, one of the officials said. The department would then examine the effectiveness of its order covering pipeline companies and decide whether a similar approach would work for other sectors, the official said.
"We want to avoid creating something that is just a tick the box kind of compliance regime," the official said.