U.S. homeland security officials unveiled new pipeline cybersecurity rules yesterday alongside a rare warning about a nearly decade-old hacking threat.
The Department of Homeland Security cited a cyberthreat that dates back to December 2011 in its unusual alert issued yesterday, disclosing for the first time that suspected Chinese hackers gained access to the controls of "several U.S. natural gas pipeline companies" and noting their strategies "remain relevant" today.
The DHS announcements come as hackers linked to China and Russia have stepped up attacks on U.S. critical infrastructure in recent months, forcing the shutdown of a major fuel pipeline in May and posing a cyber policy challenge for President Biden. The cybersecurity requirements rolled out yesterday appear to be the strictest yet imposed on the U.S. pipeline sector and could signal tougher federal cyber oversight to come in the energy sector.
Ron Brash, director of cybersecurity insights for Verve Industrial Protection, said in an email that the hacking alert is "a type of burn notice saying, ‘We warned you last time, and we are really warning (reminding) you again.’"
The document from DHS’s Cybersecurity and Infrastructure Security Agency and the FBI also reveals that the 2011 cyber intrusions were "intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines" or disrupt their operations.
Some cybersecurity analysts questioned why the government waited nearly a decade to publish details of the Chinese hacking threat, which infected at least 13 oil and natural gas pipeline companies and targeted 10 more (Energywire, May 23, 2017). Pipeline operators were privately notified of the campaign in 2012.
The hacking spree is thought to have tapered off in 2013 and was later linked to Chinese military officers in a secretive People’s Liberation Army office. The Chinese government has denied wrongdoing.
Nathan Brubaker, director of analysis at Mandiant Threat Intelligence, said in a statement that "while this activity certainly should be of concern" to pipeline operators, Beijing does not mean to wreak havoc.
China "has largely focused on mainly using cyber espionage as a means to drive economic growth and development in industries prioritized by the Communist Party," Brubaker said. "We have seen little evidence over the past 10 years of PRC cyber operations targeting critical infrastructure with the end goal of disruption or destruction, but we do not discount the possibility that they may do so in future conflict scenarios, such as in the event of war."
Brubaker said that Mandiant has seen multiple threat actors linked to China target industrial control system (ICS) operators, "including an energy company, multiple natural gas pipeline companies, an ICS equipment manufacturer, and an ICS security firm."
The intelligence community has long warned about China’s disruptive hacking capabilities. In April, the Office of the Director of National Intelligence released a worldwide threat report saying that China can "at a minimum" bring "temporary and localized" disruptions to U.S. critical infrastructure through cyberattacks.
On Monday, the Justice Department indicted four hackers alleged to have supported some of Beijing’s recent cyberespionage campaigns aimed at stealing intellectual property (Energywire, July 20). However, the older pipeline intrusions went beyond corporate spying, CISA officials said.
From 2011 to 2013, Chinese hackers were able to get into pipeline networks through remote software and systems that sent data between corporate and industrial control system networks, the cyber agency said in its alert.
"Though designed for legitimate business purposes, these systems have the potential to be manipulated by malicious cyber actors if unmitigated," CISA said.
Brash of Verve Industrial warned that pipeline operators still aren’t ready to deal with modern cybersecurity threats.
"Most operators do not have enough visibility into these environments, much less tooling to deal with a threat," he said. "It would be tough, and given the age of most pipelines … even tougher than most would like to admit."
Pipeline requirements
DHS separately issued a security directive yesterday requiring pipeline companies to set baseline defenses amid a recent uptick in ransomware attacks, which lock up victims’ computer networks and demand payment for the key.
"The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats,” said Homeland Security Secretary Alejandro Mayorkas. "Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security."
The rules follow a yearslong tug of war between pipeline industry representatives and cybersecurity experts who warned of gaps in U.S. defenses. DHS’s Transportation Security Administration took a voluntary approach to pipeline security oversight even as top intelligence officials and some pipeline executives said a successful attack could cause weeks of disruptions and ripple across the energy sector. A ransomware attack in May by a Russian criminal group forced Georgia-based Colonial Pipeline Co. to halt nearly half U.S. gasoline deliveries to the East Coast for nearly a week, spurring panic buying at gas stations and price spikes that lingered into June.
Details of TSA’s latest directive were deemed security sensitive and shielded from public view. But the rules broadly require pipeline owners and operators to complete certain cybersecurity mitigation measures and plan for how to recover from a major hack, officials said. They are backed up by fines of up to $11,904 a day per violation — the maximum civil penalty for pipelines under the latest TSA guidance.
The new cyber contingency plans should include strategies to isolate infected systems and keep an updated backup of the most critical systems, a TSA spokesperson said. Pipeline owners must also implement security best practices subject to reviews by TSA and CISA.
Suzanne Lemieux, manager of operations security and emergency response for the American Petroleum Institute, said in a statement that the industry group is "supportive of TSA’s efforts to strengthen the capability and maturity of our nation’s critical infrastructure and [looks] forward to working with them to ensure operational continuity as they move toward implementation of this directive."
API plans to release an updated version of cybersecurity best practices in the third quarter this year that has been in development since 2017, Lemieux said. The new edition has input from TSA, CISA, the Energy Department and its national laboratories, and the Federal Energy Regulatory Commission, among others, she said.
A spokesperson for the American Gas Association said the organization is still reviewing the directive.
TSA’s directive is the second to address pipeline cybersecurity concerns raised by the Colonial Pipeline hack. In May, TSA required critical pipeline owners to report attempted and successful hacks to CISA no later than 12 hours after discovery. The mandate also required companies to review their cybersecurity practices and appoint a cybersecurity coordinator who would be available 24/7 to CISA and TSA in case of emergencies. That directive was backed up by $7,000-per-day fines.