DHS decides pipeline companies need cybersecurity regulations


The hack of the Colonial Pipeline — which kneecapped oil availability on the East Coast for almost two weeks — was as disastrous as it was likely preventable. A branch of the Department of Homeland Security, however, is hoping to correct course by changing the rules on cybersecurity and disclosure for Colonial and other companies in the pipeline industry.

As reported by The Washington Post, the Transportation Security Administration (yes, the same sub-branch of DHS everyone associates with taking their shoes off in airports) will be requiring pipeline companies to report breaches and other cybersecurity incidents, with additional rules on how to keep these critical infrastructure systems secure from digital threats arriving “in coming weeks.” Any sort of abnormality which could, say, cause a company to part with $4.4 million in ransom money, would need to be reported to both the TSA and the Cybersecurity and Infrastructure Security Agency (CISA).

Incidentally, guidelines already exist to keep these sorts of systems secure — following them was merely voluntary. Companies were also free to decline inspections of their systems by the TSA. (We’ve reached out to Colonial to see if it chose to duck any such inspection.)

According to an anonymous source within the agency who spoke to The Washington Post, failing to meet the forthcoming requirements is likely to result in financial penalties, though how much is unclear. They would have to be fairly substantial in order to change the essential calculus. As Wharton researchers point out, the average cost of a breach in 2017 was just north of $7 million — not a massive expenditure compared to say, the price tag for implementing top-notch cybersecurity across a swath of legacy systems; they also found that “in the short run, the market jumps in fright after disclosure of a breach, but in a longer period of time (even just a month), there is hardly a difference between a breached and an un-breached company.” In short: a successful breach does very little to a company’s bottom line, either through immediate costs or longer-term stock valuation changes.

Essentially, TSA’s new rules will need to have substantial power to inflict financial hardship, or companies probably will not have much incentive to change their lax habits.

That these decisions are driven entirely by profits is nowhere better exemplified than by the Colonial hack itself, which did nothing at all to harm the actual systems responsible for delivering fuel: what was compromised, according to CNN, was Colonial’s billing system, and the protracted shutdown was due largely to the company being unable to determine how much customers would have owed.

Even assuming pipeline companies are broadly cooperative, the TSA is setting itself up for a Sisyphean task of overseeing over 2 million miles of pipeline with a staff — as of 2019 — of just five auditors.



Source link

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertisment

Latest posts

Windows 11’s news feed has built-in tipping to support local content creators

Supporting local news sources is suddenly something the tech industry worries about, and with Windows 11, Microsoft is adding integration with...

UK carrier EE introduces EU roaming charges following Brexit

UK carrier EE is introducing roaming charges for customers traveling to almost all EU countries from January next year, BBC News...

Google delays blocking third-party cookies in Chrome until 2023

Google is announcing today that it is delaying its plans to phase out third-party cookies in the Chrome browser until 2023,...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!