The United States Department of Homeland Security (DHS) is to issue its first ever set of cybersecurity regulations for pipelines, according to The Washington Post.
The news comes in the wake of a recent ransomware attack on the Colonial Pipeline that knocked operational systems offline for five days, triggering panic buying that led to fuel shortages in the Southeast.
Last week, Colonial Pipeline paid a ransom of $4.4m to cyber-criminal gang DarkSide to regain control of its systems and data.
According to the Post, a senior DHS official has said that a security directive will be issued this week requiring pipeline companies to report cybersecurity incidents to federal authorities. The directive will come from the Transportation Security Administration, a DHS unit.
This directive will be followed by a meatier set of regulations in a couple of weeks’ time. These rules are expected to lay out in more detail what pipeline operators must do to protect their systems from cyber-attacks.
Post-breach behavior will also be regulated, with companies who succumb to a cyber-attack ordered to adhere to a set of best practices.
These mandatory regulations will replace the voluntary cybersecurity guidelines issued previously by the DHS.
John Bambenek, threat intelligence advisor at Netenrich, said that the US government’s “shutting the stable door after the horse has bolted” approach to cybersecurity regulation may not be the best way to protect critical infrastructure.
“Notification to the federal government of cyber-attacks is less significant than whatever protective regulations they issue, but the facts are, we have thousands of pages of policies, regulations, and studies on security for the federal government and they still get breached. A regulatory approach based on preventing the last incident is always going to be lacking in terms of preventing the future incidents,” he told Infosecurity Magazine.
Lookout‘s Hank Schless took a more positive view of the regulations’ potential impact.
He told Infosecurity Magazine: “Implementing new regulations could be very effective in the battle against cyber-criminals so long as organizations actually take action to align with them. It takes time and resources to align with new regulations, but this should at least serve as motivation for similar companies to get the ball rolling.”