Regulations are often a love-hate relationship in most industries. However they have been shown to have a positive impact in new or changing markets, especially those that fail to improve at a pace necessary for protection of growth of the industry. Cybersecurity is no exception.
On July 20th, the Transportation Security Administration with the help of Homeland Security issued new a regulation for owners and operators of pipelines in the U.S. This has been a needed change as this new regulation enforces changes to the security structure and operations of these critical infrastructure pieces which had fallen dramatically behind in protections from cyber attack.
This regulation, spurred in part by the recent ransomware attack on Colonial Pipeline, requires that these operators and owners:
• Develop and implement a “contingency and recovery” plan for cyber intrusions
• Compare the plan with DHS standards, identify gaps, develop measures to fill them, and gain approval for them from the Cybersecurity and Infrastructure Security Agency, or CISA
• Appoint and identify, within seven days, a cyber coordinator (and a backup cyber coordinator) who is available to the DHS’s CISA officials “24/7”
• Report all cyber intrusions to CISA within 12 hours of the incident. (Kaplan, 2021)
While this may only affect this part of the U.S. critical infrastructure, the adoption of these requirements may expand to other industries that are deemed critical such as electric, water, sewer, railroads, and other organizations. Overall, if properly adopted, implemented, and regulated, this legislation can improve the security posture of the entire country for this vital infrastructure. In addition, this industry will need trained and educated cyber security professionals to meet these new requirements, a certain boon for a growing field.
Reference: Kaplan, F. ‘The U.S. Takes an Important Cybersecurity Step – Two Decades Late’. 23 July 2021. Slate.com. The Department of Homeland Security’s new pipeline cybersecurity requirements are long overdue. (slate.com)
Cybersecurity In Action 