Homeland Security's 2021 Cyber Security Directives for Oil and Gas Businesses

Learn more about the requirements that oil and gas businesses must now adhere to given the July 2021 cyber security directive issues by the Department of Homeland Security to minimize cyber crime and mitigate its operational, technical, and financial damages. 

The Department of Homeland Security (DHS) released an updated directive that impacts pipeline owners and operators. Designated critical pipelines need to implement outlined IT security measures to protect against cyber attacks and system breaches. 

This second directive comes as an addition to one issued in May 2021 and is in response to the severely expensive and disastrous breach of Colonial Pipeline. The directive aims to fill in the gaps in security posture for critical infrastructure that were left in the first directive and left Colonial Pipeline exposed.  

“The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical [IT] infrastructure from evolving threats,” 

 

Alejandro N. Mayorkas

Secretary of Homeland Security

Who does the 2021 DHS Cyber Security Directive apply to?  

This directive outlines new requirements to be followed by owners and operators of "hazardous liquid and natural gas pipeline or liquified natural gas facility". Essentially, it applies to energy pipeline systems and facilities designated by the TSA as critical.

These owners and operators should be or have been notified by the TSA if their pipeline or operation is deemed "critical".

What were the requirements of the May 2021 DHS Cyber Security Directive?

The original directive outlined several security requirements that owners and operators in the energy industry need to adhere. The first was that pipelines needed to disclose cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) as soon as possible, and no later than 12 hours after the threat is identified. The Cybersecurity and Infrastructure Security Agency is a department within homeland security that deals with the national security issues of malicious hacks and cyber attacks.  

The second change highlighted in the directive was to have a cybersecurity coordinator available 24x7. Pipeline companies must designate someone or a group of people, who will be able to implement cyber security practices and procedures at any time. The coordinator must have the ability to coordinate and enforce the tools and practices across the entire organization.  

The last item addressed in the original directive was the need for teams to identify and remediate any risks in the environment and report them within 30 days to TSA and CISA.  While the previously mentioned requirement regarding reporting to a national agency deal with incident recovery and investigation, this requirement focuses on IT security visibility and vulnerability — even absent of an incident. 

What are the requirements outlined in the July 2021 DHS cyber security Directive? 

The second directive introduced several new requirements aimed at promoting rigorous review of current security posture and implementing best practices. Pipeline owners and operators must now have specific mitigation measures that will protect against ransomware.  This includes advanced threat hunting and response technologies, such as endpoint detection and response (EDR) and network detection and response (NDR). These technologies can help discover threats and isolate them before they penetrate IT systems further and cause further damage or harm. They can be purchased on-premise or through a cloud-based security-as-a-service platform, the latter which may be more cost effective – especially for smaller to midsized oil and gas organizations.  

Additionally, companies are required to develop and implement a cybersecurity contingency and recovery plan, or incident response plan. While there are many components to a comprehensive recovery plan, which may vary slightly for different businesses, Centre’s team of certified experts emphasize 4 main components  

1. Clean copy of data  
   Organized and updated data is routinely backed-up according to your business's budget, size, and needs. By default, Centre's IT experts recommend the standard best practice of the 3-2-1 model, 3 copies across 2 locations with 1 offsite or locked. 
   
   

2. Proactive threat hunting
   Advanced and "always on" threat detection and response technology is utilized to catch and remediate threats before they inflict damage or jeopardize technology and data beyond return.
    

3. Visibility into security gaps 
   Comprehensive security assessments and/or advanced security scanning detects vulnerabilities and pain points in current IT security posture so businesses can build an effective and efficient plan moving forward.
   
   

4. Cyber insurance
   A partial, but necessary, component of Incident Response Plan (IRP) to financially protect your business from risk and liability in the event of a disaster or attack.

Lastly, IT systems need to be reviewed by a team of cyber security architecture and design experts. Many businesses fall victim to using outdated technologies or practices which put them at preventable risk. Businesses need to have a routine and objective assessment of their tools and procedures to ensure that they are utilizing the most advanced technology and more recent information to prevent cyber crime and minimize its damage. Small and midsized companies can either perform this evaluation with an in-house staff, but many would benefit from the extended bandwidth, objectivity, and expertise of hiring certified and trusted IT consultants.  

What actions can businesses take to adhere to directives? 

The first steps businesses can take to ensure that they are within the requirements outlined by Homeland Security is to carefully assess their current IT environment to understand their current IT security posture and compliance. In their evaluation, organizations will want to consider questions such as:

1. What is our current ability to identify and remediate threats?
    

2. How likely is an attack to occur and through what sources?
   
   

3. How much damage or expense would an attack cause if it were to occur today? 
   
   

4. Do we have a cyber security coordinator available 24x7? 

Organizations needing extra expertise and focus can also outsource IT security assessments for a comprehensive and objective evaluation of their security infrastructure, personalized for their size, industry, and business goals. After assessments, trusted IT companies will also give a detailed blueprint for improvement, outlining key security gaps and next steps. 

Once businesses have a better idea of their current IT security environment and bandwidth, they will want to use sophisticated technologies that can help identify and mitigate threats, including ransomware. Businesses should decide on network and endpoint detection solutions and services  to implement, and utilize assistance  in choosing technologies, deploying them, and/or saving money through the process. 

Additionally, oil and gas pipeline owners and operators will want to ensure that they currently have at least one cybersecurity coordinator available at all times, day and night. If not, these organizations will have to look into hiring one or more coordinators. 

Lastly, businesses in the energy industry will want to develop or update their incident response plan. This plan should be carefully designed after understanding what security tools and practices are currently being utilized, what IT security gaps exist and IT risk is exposed, and consulting with multiple departments and stakeholders in the organization. A plan should prioritize protecting data, operations, and the bottom line. 

Want to improve your IT security today? Contact Centre Technologies for comprehensive and customized advisory and service in ensuring that your organization is fully compliant and prepared to combat cyber crime at the lowest possible cost.