Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Colonial Pipeline ransomware attack prompts first cybersecurity mandates for nation's pipelines

Friday, May 28, 2021

Categories: ASCF News Cyber Security

Comments: 0

Image showing the Colonial Pipeline Houston Station facility in Pasadena, Texas (East of Houston) taken on May 10, 2021. FRANCOIS PICARD/AFP VIA GETTY IMAGES

The Biden administration will mandate cybersecurity regulations for the nation's leading pipeline companies, officials announced Wednesday, following a massive computer hack that prompted a pipeline transporting nearly half of the East Coast's fuel supply to shutter for 11 days. Previously, voluntary guidelines were given to industry leaders.

The new security directive issued by the Department of Homeland Security (DHS) will require pipeline companies to report cyber incidents to federal authorities, senior DHS officials said, and comes in the wake of a series of ransomware attacks highlighting cyber vulnerabilities to critical infrastructure. Earlier this month, a ransomware attack targeting Colonial Pipeline caused gasoline shortages and panic buying in more than a dozen states and the nation's capital. The shutdown threatened to disrupt airplane travel and mass transit and resulted in a $4.4 million ransom payment to foreign hackers, according to the pipeline's CEO.

Senior DHS officials told reporters this week that "the Colonial Pipeline incident and the broader range of ransomware attacks in the past several months have created a public consciousness of cybersecurity threats that arguably we haven't seen in the past decade," transcending the routine labeling of cyber attacks as purely nation-state driven activity.

"Ransomware, which is primarily criminal and profit-driven, can rise to the level of posing a national security risk and disrupt national critical functions," a senior DHS official said. In the wake of the Colonial Pipeline attack, the White House has launched a new strategy to tackle the growing threat to critical infrastructure beyond the isolated efforts of DHS and the Justice Department.

Since the federal government regrouping that took place post-September 11, 2001, the Transportation Security Administration (TSA) has controlled pipeline security, taking over for the Department of Transportation (DOT.) And while DOT still oversees the operation of pipelines, TSA has been tasked with protecting them against terrorist attacks and external threats since 2002. In 2011, the agency issued its first set of cyber-related guidelines, later updating them in 2018.

TSA's new directive will require pipeline owners and operators to designate "a 24/7, always available cybersecurity coordinator" – like a chief security officer – to coordinate with both TSA and the Cybersecurity and Infrastructure Security Agency (CISA) in the event of a cyber incident, senior DHS officials said.

Critical pipeline companies must also within 30 days "take steps to do an assessment as to how their current practices lineup" against current pipeline guidelines issued by TSA. According to the officials, companies must "identify any gaps" and establish a timeline for remedying possible flaws, a process that was historically voluntary.

The security directive is part of a larger "strategic plan" by DHS to protect against future cyber incidents like the Colonial Pipeline attack, according to senior agency officials.

"This is step one of a phased approach and we expect that you will see in the not-too-distant future that this will be followed up with an additional set of rules that require a range of actions to be taken by the sector," a DHS senior official said. Yet details on future action remain sparse.

Senior DHS officials remarked they were "very cautious" about releasing company information on cyberattacks to the public, but suggested CISA might publish an "aggregated analysis of vulnerability and risk trends" for the pipeline sector industry" in the future.

Companies that fail to comply with the TSA directive will be subject to financial penalties imposed on a daily basis, resulting in compounded costs, one senior DHS official said.

Senior DHS officials estimate there are approximately 100 critical pipeline companies that fall under TSA's new directive. "Those pipeline companies are aware of their critical status, and they have been covered by the pipeline security guidelines, as many other pipeline companies have been as well," an official added.

The TSA division responsible for securing the nation's 2.7 million miles of pipeline had just five full-time employees in 2019, none with cybersecurity expertise, according to a TSA official. "We have [no employees] that have specific cybersecurity expertise," Sonya Proctor, director of the Surface Division for the Office of Security Policy and Industry Engagement at TSA, told lawmakers at a February 26 House Homeland Security Committee hearing. "They do have pipeline expertise, but not cybersecurity expertise."

That has since changed. DHS officials told CBS News that "[TSA] does have trained staff in place now for pipeline security both on the cybersecurity side and on the physical security side." A senior DHS officials said the agency's cybersecurity group "received extensive training from Idaho National Laboratory, along with some additional training from CISA."

TSA has committed to conducting 52 pipeline assessments in fiscal year 2021. To date, they've conducted 23.

A slew of critical infrastructure sectors — including dams, public health and agriculture — still do not impose mandatory cyber standards. Lawmaker efforts to institute mandatory cyber requirements dictated by Congress failed nearly a decade ago in the face of strong industry dissent.

For weeks, the Biden administration and lawmakers have voiced concerns about a lack of strict cybersecurity regulations for gas and oil pipeline operators, reigniting the debate for greater company accountable in securing U.S. infrastructure against cyber threats.

And while Homeland Security's new proposal may earn praise from cybersecurity advocates and members of Congress clamoring for action, the TSA regulation is likely to raise questions about the Department of Energy's lack of authority over the nation's energy companies.

Those leading the new security directive, however, remain optimistic that it will not damage the decades-old public-private partnership within the pipeline security sector.

"Even though we will have more structured oversight, in the form of a security directive and other measures to come in the future, we still look forward to a very collaborative relationship with the pipeline industry," a senior DHS official said. "Just because we have a security directive does not mean that we won't continue to collaborate with them."

Source: https://www.cbsnews.com/news/colonial-pipeline-cyberattack-prompts-cybersecurity-mandate/

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.