Everyone remembers the ugly days following the large ransomware attack on the Colonial Pipeline’s IT infrastructure. Most security experts who know anything about the oil and gas pipeline industry were not surprised. While there were/are recommended security practices from the Transportation Security Agency (TSA), there is no formal regulation of any sort for oil and gas pipelines to maintain a reasonable cybersecurity posture.
Moving at lightning speed for a government agency, the TSA, which has authority over pipeline operations, issued what they call Security Directive 2, or SD2. The document is considered Secure Sensitive Information under 49CFR15 and 49CFR1520, so those who have read it can’t say anything publicly about what is in it. However, I can point out that because it was written in such a hurry, we shouldn’t be surprised if it has significant technical and logistical deficits.
I expect there will be objections from the dozen or so various industry organizations. In fact, I would not be surprised if these objections evolve in to court cases. Even if I am wrong, these efforts will be expensive for the industry and it will be difficult to bring staff, consultants, and other standards up to speed.
The lesson to be learned is this: If you work in critical infrastructure and you aren’t busy securing your operation, get started now. That goes for water, manufacturing, transportation, food –everything. You will need a security coordination group of some sort. It could be a part of an ISAC, or a separate agency such as NERC is among the electric grid, or some other organization. The organization can start assembling security practices for the industry and set recommended criteria for application of these methods.
Then, if a regulatory group comes along, they won’t be starting from almost nothing, as the TSA had to do. If you don’t get started right now, someone with less industry background than you have will impose cybersecurity measures on you. That’s what happened with TSA SD2. From what I’m hearing, nobody is happy about it from any perspective. That is why I advise against waiting for a government agency to impose these requirements. Do it yourselves, or it will be done to you.