News spotlight: Oil and Gas pipelines a target for hackers – part two

Following our last oil and gas industry news spotlight on the advisory issued by the CISA and FBI on a spear phishing and intrusion campaign carried out between 2011 and 2013, Damon Small, technical director at NCC Group, reacts to a new directive that requires owners and operators of critical pipelines to implement specific measures to protect against ransomware and other prevailing threats.

The directive - released by the Department for Homeland Security (DHS) and Transportation Security Administration (TSA) - follows a string of critical national infrastructure attacks in the US this year, including the US colonial pipeline ransomware attack, which disrupted fuel supplies across North America and has since been dubbed as the largest attack on US energy infrastructure.

While specific criteria are yet to be released to the public, the directive is expected to focus on changes to IT and operational technology operations for the top 100 US pipelines.

Is this new directive a good thing?

'Any infrastructure is considered as 'critical' when it can impact the health and safety of large numbers of American citizens. Recent events, such as the Colonial Pipeline incident, have taught us that these pipelines are critical to getting fuels and other chemicals from where they are refined to where they are consumed.

'The directive is a positive step forward and signifies that that the federal government recognises that self-regulation can only provide so much protection to these infrastructures and that it can vary wildly. The ability of any organisation to decide how much effort and money is appropriate to protect their information assets is a very subjective exercise. Directives like this endeavour to level that playing field so that all organisations must make those decisions based on standards that are compulsory.'

How will owners and operators be held to account?

'When it comes to accountability, there are many existing standards and regulation set forth that include financial sanctions and there is no doubt that the directive from the TSA will be no different. Examples include things like HIPAA, PCI-DSS, and NERC-CIP. The point of financial penalties is to modify organisations' behaviour by making following the rules less costly than paying the fines. The assumption here, of course, is that the rules are effective in protecting the assets that they are designed to.'

What do pipeline operators need to know today about cyber security threats?

'Defence is harder than offence. When any company tries to protect information assets, they have to defend against all attacks and vulnerabilities. The adversary must successfully exploit but one. These directives are not the Federal Government telling businesses how to operate; rather, the Fed is making the standard of how to operate in a safe manner consistent across entire industries.'