Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United States Security

DHS To Issue First Cybersecurity Regulations for Pipelines After Colonial Hack (washingtonpost.com) 61

The Department of Homeland Security is moving to regulate cybersecurity in the pipeline industry for the first time in an effort to prevent a repeat of a major computer attack that crippled nearly half the East Coast's fuel supply this month -- an incident that highlighted the vulnerability of critical infrastructure to online attacks. From a report: The Transportation Security Administration, a DHS unit, will issue a security directive this week requiring pipeline companies to report cyber incidents to federal authorities, senior DHS officials said. It will follow up in coming weeks with a more robust set of mandatory rules for how pipeline companies must safeguard their systems against cyberattacks and the steps they should take if they are hacked, the officials said. The agency has offered only voluntary guidelines in the past. The ransomware attack that led Colonial Pipeline to shutter its pipeline for 11 days this month prompted gasoline shortages and panic buying in the southeastern United States, including in the nation's capital. Had it gone on much longer, it could have affected airlines, mass transit and chemical refineries that rely on diesel fuel.
This discussion has been archived. No new comments can be posted.

DHS To Issue First Cybersecurity Regulations for Pipelines After Colonial Hack

Comments Filter:
  • Cue the shrieks of "Big Government making me do things!!!" from the Southern RWNJ's in 3....2...1...

    • by Tablizer ( 95088 ) on Tuesday May 25, 2021 @01:57PM (#61420904) Journal

      I know a libertarian who keeps suggesting to let specific lawsuits take care of riff raff rather than regulations. The problem is that it's hard to sue if you are already dead. It's as if there is no value in prevention. Either government regulation is "so evil" that the delay is worth accepting, or prevention is ineffective because "gov't usually bungles things".

      But we usually hear about the failures, not the successes. If inspectors find a small batch of bad meat for example, it's taken off the market and few will ever hear about it. Mostly just inspector failures make the news, not successes. We should thank gov't inspectors for reducing life's drama.

      Libertarians, please test your lawsuit-only solutions on a different country first. If and when you perfect it, THEN come back with your plan.

      • Libertarians, please test your lawsuit-only solutions on a different country first. If and when you perfect it, THEN come back with your plan.

        But it turned out so great the last time they tried to take over a local jurisdiction in the US! [newrepublic.com] /s

      • Lawsuit only options do not apply to industries labeled 'critical infrastructure'. They fall under the national defense clause of the united states. Its entirely different than regulating a hospital bed repairman.
        • by Tablizer ( 95088 )

          Libertarians tend not to like "critical infrastructure". They want it more like a shanty town were everything is individually negotiated jurry rigging. Wasteful duplication is "disaster-friendly redundancy" to them. Factoring Shmactering.

          • Im a Libertarian and I understand infrastructure vs non infrastructure. Generally speaking im in favor for a company hiring whoever the hell the want; but if its a defense contractor it better be us citizens only, even the damn janitor. The same applies to every level of sub-contract as well. National defense is a clear constitutional provision.
            • by Tablizer ( 95088 )

              I'm thinking more of plumbing, telecom, waste removal, and electricity. And I understand every libertarian's views won't be identical.

      • by NFN_NLN ( 633283 )

        > The problem is that it's hard to sue if you are already dead.

        If ever there was a use for family, it's to avenge your wrongful death through financial reward. Brings a tear of joy to my eye.

    • Cue the shrieks of "Big Government making me do things!!!" from the Southern RWNJ's in 3....2...1...

      I wouldn't expect them to, they didn't even turn up when Florida regulated social media companies to host users that'll destroy their revenue stream.

      • It won't destroy their revenue. Are there really that many leftists that will really leave Facebook or Twitter because Trump is allowed to post there?

      • Florida regulated social media companies to host users that'll destroy their revenue stream.

        Gaslight much?
        DeSantis gave consumers the right to sue if they believe the terms of service were used unfairly against them for content someone else wasn't disciplined for.It doesn't guarantee their service will be restored or that they will receive recompense for damages. If media companies are picking and choosing similar content and only blocking the content they don't like they are acting as a publisher and are no longer covered by 230.

        A good example is Gina Carano being kicked off of Twitter and get

    • by schwit1 ( 797399 )

      Should government regulate critical infrastructure, yes
      Should unelected bureaucrats(DHS) regulate critical infrastructure, only as advisors, monitors and enforcers

      The Constitution gives Legislative authority to Congress. Regulations are laws by another name. To ensure government accountability, Congress should have to vote on anything that has the force of law.

    • They'll probably just tell them to follow existing industry guidelines relating to security, which would have probably prevented this mess from happening. There's plenty of information on how to make your networks more secure out there, most places just don't do it.

      • by rtb61 ( 674572 )

        I suspect, that they suspect, that the hack was less than genuine and no confirmation yet how the ransom software got onto pipeline control systems and as yet no reports of maintenance done that required a shutdown to do and whether any of it was booked prior to the ransomware attack nor any indication yet who got the ransom money (colonial pipeline was suffering major faults and leaks and as such needed to shutdown the pipe to do repairs which would have cost them a fortune, so).

        Any executive could load r

    • Government's gotta Govern. Private Companies gotta ignore Governance. Forces of nature . . .
  • I hope there is or will be similar for trains, ships, traffic control, power plants, safety & medical equipment, etc.

    * Scouts weren't prepared for pedos

  • by OffTheLip ( 636691 ) on Tuesday May 25, 2021 @01:51PM (#61420886)
    Text only email.
  • by holophrastic ( 221104 ) on Tuesday May 25, 2021 @02:23PM (#61420986)

    I've said it countless times on slashdot over the last decade, maybe two. Security doesn't work this way.

    You can't have documented security practices to defeat innovative criminals. You can't have costly efforts to defeat profitable efforts.

    I keep going back to the wild west train robbery of gold bars by outlaws. Outlaws will always win because they are "outside of the law", hence the name.

    The wild west was eventually tamed by the combination of two very interwoven fabrics of society.

    The first was the FBI -- they'll keep looking for the criminal forever. So there's no "getting away with it", there's only "watching your back for the rest of your life".

    The second was the city itself. Who wants to live in the woods with tonnes of gold when you can live in the city with water and entertainment and food and bathrooms. So there's no "come find me in my booby-trapped forest", there's only "lock my front door and pull down the shades and hope they don't see me carry the gold from my driveway".

    We're stuck in the wild west again. A group of criminals who live far away, they attack, they run away with the gold, law enforcement can't find them.

    Sure, of course more security measures will make it harder for them. Hey, the best security measures will make it very hard for them. So they'll do what everyone does when the work gets harder -- they'll charge more! It'll happen half as often, and the ransom will cost twice as much. The only real change will be all of the costs of the security measures incurred -- ultimately for no benefit.

    The solution is the same as it was -- enforceable laws, and a society where following the laws is more beneficial than breaking them.

    Simply put, absolutely nothing else has ever worked.

    • by DarkOx ( 621550 ) on Tuesday May 25, 2021 @03:03PM (#61421170) Journal

      Exactly the real answer is a NATIONAL FIREWALL.

      People don't want to hear this but its true. The Internet needs to balkanized for everyone's sanity. Leave the domestic internet open and mostly unregulated as it exists today. As you say the FBI will catch up with anyone who does something seriously criminal eventually and its a very effective deterrent. Unless that person is beyond the FBI's reach.

      We just need to regulate all the international links. LEO IPS/IDS/Logging at each - no ciphered traffic over them except registered VPNs. and no but what about wireless/radio/satellite people will just break the rules - yes some will and the FBI can go after them.

      Registered VPNs would allow corporations and individuals to connect to resources securely internationally as long as they have legal responsibility for both ends. You can have your corporate VPN it just has to STAY private, that is you can't allow people to use it as a transport network and gateway back out to the Internet. Running an ecom site or social media whatever -again no problem you can offer encrypted comms you just need VPS in the other localities and you host a copy of site there, replicated data over your VPN all day long. However we should also require people that do this to pay into or have some kind of private insurance or setup some kind of victims compensation fund.

      Attackers will undoubtedly compromise private networks with VPNs and use them as proxies which is why persons/orgs who chose to operate such networks need the insurance they would be liable for damages caused by international actors who abuse their systems to attack other domestic network users.

      • If you don't mind, I'll summarize your NATIONAL FIREWALL to be consistent with my "old laws already exist" philosophy.

        What you're talking about is border patrol, customs, import/export regulations/inspections/tariffs.

        Just waiting for someone to call "electronic data" the very same as anything else being transported -- electrons are no different than birds. If you transport them intentionally, they go through border laws. If they fly on their own, they can come and go as they please. Water and seeds too.

        • by DarkOx ( 621550 )

          I don't mind - extending normal customs controls to the internet is the major thrust of my proposal

      • by arQon ( 447508 ) on Tuesday May 25, 2021 @11:10PM (#61422516)

        This post is, at best, astonishingly short-sighted and outright stupid. At worst, it's fascist and outright stupid. I can only assume it was modded up by Russian trolls or something, so rather than fight them with mod points myself, I'll extract the one tiny grain of coherent sanity that almost made it in there and expand on that instead.

        The problem isn't "100% of traffic (including voice and video) must be visible to the state at all times, Comrade". Even if you ignore the obvious Constitutional issues with that (as the NSA already does, though you clearly don't have a problem with that), all your idiotic system does is push the problem to a different piece of the system. It's not just literally criminal in its overreach, anathema to the supposed principles of the USA, impractically expensive and complex, but it doesn't even achieve anything. All it does is add "compromise a Big Brother-approved endpoint first" to the process.
        You handwaved that in your last sentence - I assume because at that point you'd realized that this idea was 100% pure garbage, but were too invested to just walk away from it like anyone with competence or a conscience would have - but funnily enough that doesn't actually make the problems disappear.

        So your brilliant plan is to cut each country off from the rest of the world, except for approved opinions only, and have everyone who wants to move data between countries - like, you know, to family and such if they're filthy immigrants - pay into an "insurance" fund that can be used to ... cover the losses of a multi-billion dollar company that can't be bothered to secure its systems properly, thus freeing them from such tedious and expensive investments. All while adding literally no protection AT ALL to any high-value targets, where the attack can simply be done from within the country - only now even more easily, because the "national firewall" is protecting them.

        But the "ecom sites" (wow, good job saving those 5 extra characters!) will have insurance, right? "No problem", you said. And that insurance will require "appropriate measures" to be taken to GET that insurance, the same way you have to have locks on your doors to get your house insured. So for a small business just starting out, that's "Norton VPN" or something similarly high-quality. And of course, that's going to be COMPLETELY impenetrable, right? Because obviously it will be. Just think: if only we could put that magical technology into the control systems of something important like an oil pipeline! Oh, wait...

        (Or maybe you mean that, since those businesses won't be able to GET this magical insurance of yours, you can further entrench Google, FB, Amazon, et al, who don't have to worry about such things? Or maybe play Kingmaker, or refuse to offer it to certain groups that you don't approve of? I realize you haven't thought about this at all, let alone to any sane conclusion, so I'm not sure what your real goal is with this part. I'm not going to waste my time on the hundreds of other ways this braindead idea could go even more wrong).

        But yeah, that's an easy "No".

        How about, instead of that, we have companies - and this is a bit of a radical idea, but hear me out - actually take security seriously? This isn't an Internet-of-Shit coffee maker. How about they NOT connect industrial equipment to the internet for no reason, and put some tiny hint of competent protection in place when it does?

        And how about people like you who STILL haven't grown out of their 10th grade power fantasies stop using every damn excuse you can think of as yet another justification for yet another increase in the government's ability to spy on and control the speech of its citizens. Because that's about the only effect I can see from your demented idea: it sure as hell doesn't have even an atom of *technical* merit to it, at all, with regard to solving the actual problem being discussed here.

        • by DarkOx ( 621550 )

          I am not talking about censoring any speech at all. You can read post share whatever like across the boarder as long its something clear text like HTTP.

          That way "customs" can spot stuff like Command and Control or known malware and shut it down. So yes a tiny fraction of stuff might get blocked. I am sure provisions can be arranged to allow people like researchers to get things.

          Those small operators won't matter much because they don't offer the bandwidth to spray malware or mass e-mail etc over their litt

    • by ksw_92 ( 5249207 )

      Your "wild west" analogy is apt and the guys who hit Colonial are like Butch Cassidy and the Sundance Kid: https://www.youtube.com/watch?... [youtube.com]

      "Think you used too much dynamite there, Butch?"

      Eventually the criminals will get too successful and draw too much attention. This generally results in their demise as they can't run forever and can't hide large amounts of ready cash for long..

    • by GrahamJ ( 241784 )

      I don’t think this is a good analogy. If they had mandated that every train carrying gold had to have 50 armed guards on board you can bet there would have been a lot less successful trainjackings.

      You still have the FBI chasing down criminals but that and easy-living cities aren’t enough to prevent attacks. The goal of improving security is to make it more difficult - and thus expensive - to break in. If only the best and most moneyed groups can manage to evade security then less breakins should

  • Wait, I thought the CISA [csoonline.com] was responsible for this?

    Why have a bunch of incompetent McDonald's middle management wash-outs in charge of this?

    • My first thought as well. Who in the heck makes security decisions at the DHS? Infrastructure security should have been put in place well over 20 years (or longer) ago. If companies insist on connecting their equipment to the public Internet there should be a checklist in place that must first be finished before going live. If there is a breach, the company absorbs the cost, not the consumer at the pump like we're seeing now. Hit their pocket-book and they will do better.
      • I agree with all of that except that since Oil and Gasoline are commodities. Since no gas station actually owns the fuel in its tanks, market manipulation and panic buying as a result of it will be the norm. Prices have been on an upward trend since the election. [cnbc.com]

    • by chill ( 34294 )

      From the paywalled article:

      That TSA handles pipeline security at all is an artifact of the post-Sept. 11, 2001, reorganization of the federal government. Originally, the Department of Transportation oversaw pipelines, which were seen as a mode of transportation -- whether conveying fuel, gas or chemicals. Then in 2002, responsibility for pipeline security was moved to the newly created TSA, which was given statutory authority to secure surface transportation. DOT, however, still is in charge of safety of the actual pipes -- or ensuring they do not fail.

      • It looks like we have duplication of effort again, color me shocked.

        CISA is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. Its mission is to “build the national capacity to defend against cyber attacks” and to work “with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the .gov networks that support the essential operations of partner departments and agencies.”

        I'd say pipelines are critical infrastructure.

        • by chill ( 34294 )

          Yeah, that's mentioned further down in the article about how DHS (CISA) already has responsibility for some of this so... let's not have conflicting guidelines.

          TSA can take the easy way out and say "CSF & FISMA", getting them all on the same page. Not the best, but better than a what they have now and it least it won't conflict.

  • limit outsourcing? work must be down from USA?

  • Great ! now we'll have to queue around the block, show ID and be e-strip-searched before we buy gas. At least it will hasten the adoption of electric cars.
  • They did this to themselves. Stupid.

  • This should be a government agency wide requirement
  • I support the corporate death penalty. If a company fucks the american people badly, the american people's government should have the right and obligation to revoke the corporate charter and put the corporation up for bid. The existing shareholders would get $0.

    With that risk, we would see all shareholders demand that companies operate in a manner that puts the american people first. Security and ethics should come first, before profits.

    • Isn't this what the marking "criminal organization" is meant to do?. I think it is quite hard to go from criminal neglect in security to a criminal organization, but if a company is marked as a criminal organization, it is effectively a death sentence.
  • We had a pipeline hack, so we must regulate pipelines. Other infrastructure? Oh it wasn't hacked so we don't have to regulate it. What does the new regulation say in its 1500 pages? Well, more or less "don't get hacked."

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...