Risk Dominos: Cyber Attack → Operational Failure→ Regulatory Reaction→ Data Exposure→Customer Lawsuit

“During the 1H of 2021, the attacks at Oldsmar, Colonial Pipeline, and JBS Foods demonstrated the fragility of critical infrastructure and manufacturing as it’s exposed to the internet. The attacks showed how attackers could find weaknesses to change chemical levels in public drinking water or use commodity ransomware to shut down fuel and food delivery systems.” (Claroty) 

According to one Congresswoman, the attack on Colonial shows “that cybersecurity is no longer just a ‘tech’ issue – it’s at the very heart of protecting the systems that power our lives as Americans.” Uncertainty about regulatory and legislative oversight of cyberspace is a growing concern. 

Who’s in charge? TSA has principal oversight of pipeline cybersecurity. Its authority to provide security guidelines is shared in part with CISA (a “risk advisor” whose funding and authorities will be bolstered in 2022) and its Pipeline Cybersecurity Initiative, which has tried to assess pipeline cybersecurity preparedness and develop risk mitigation strategies. CESER (DOE’s office that coordinates cyberattack response), and PHMSA (the DOT unit that has control of pipeline safety and transportation of hazardous materials) have “secondary roles.” FERC sets rates including for recovery of pipeline investments in cyber protection; its Chairman bemoans the fact that: “no comparable [to NERC] mandatory standards [exist] for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines” and has called for mandatory standards. 

Homeland Security statement: “TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.” May 27, 2021 “The TSA assessments are minimal,” states the CEO of Verve Industrial 

The President, on July 28 -- “I have established an Industrial Control Systems Cybersecurity Initiative to significantly improve cybersecurity of these critical [infrastructure]systems. We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions is central to ensuring the safe operations of these critical systems.” 

Secretary of DHS. “We must fundamentally shift our mindset and acknowledge that defense must go hand in hand with resilience. Bold and immediate innovations, wide-scale investments, and raising the bar of essential cyber hygiene are urgently needed to improve our cyber defenses. We need to prioritize in Secretary of DHS investments inside and outside of government accordingly.” (March 31, 2021) 

Washington View of Industry’s Role. Like other industries, pipelines will have to shoulder responsibility for best practices that can have a “high impact” based on their potential to reduce the risk of a successful cyberattack. They should – 

• Mandate the use of Multi-factor Authentication to protect passwords 

• Implement endpoint detection that actively hunts for malicious activity 

• Implement endpoint response to block, trace, and prevent malicious activity 

• Encrypt data (in transit and at rest) to render it unusable if stolen or accessed without authorization 

• Retain a skilled, empowered security team that is trained to be vigilant and responsive to cyber threats, patching software, sharing threat information with trusted partners, and updating your defenses 

• Business leaders should --- 

• Protect company data with back-ups, testing and storing data 

• Ensure backup data is maintained in separate servers 

• Commit to making timely system updates 

• Ensure incident response plans are tested 

• A security team must be validated through third-party testing 

• Acknowledge that states have an important role 

Source: Open Letter, Anne Neuberger, Deputy National Security Advisor for Cyber and Emergency Technology, The White House, June 2, 2021 

Downstream Consequences. “Cybersecurity lapses at major companies have led to class-action lawsuits and settlements in the hundreds of millions of dollars. Colonial isn’t the only company being sued. San Diego-based hospital system, Scripps Health is facing class-action lawsuits stemming from a ransomware attack in April.” 

Source: Washington Post, July 26, 2021 

The Congressionally-authorized Cyberspace Solarium Commission’s layered approach to defense ultimately requires that we “shape behavior in cyberspace by banding with allies to create a clear set of norms and consequences for those who violate them. The country, as the commission assesses, is finally crafting some tools for robust cybersecurity. The key will be viewing these tools not as ad hoc responses to problems as they arise, but rather as a means for building something bigger and more resilient.” 

Source: Wash. Post Editorial August 20, 2021