Published: 11 June 2021
A new Directive issued by the US Federal Government has ordered pipeline operators to check and report on the cyber security of their pipeline systems within a month. Security Directive Pipeline-2021-01 (‘the Directive’) of 28 May 2021 was published after a ransomware attack led to the six-day shutdown of an 8,900-kilometre pipeline carrying 45% of the US East Coast’s gasoline, diesel, and jet fuel.
Colonial Pipeline felt obliged to pay a ransom to the DarkSide cyber-criminal gang so the operator could regain access to its own IT systems that had been locked by the ransomware. The operator said it would cost tens of millions of US dollars to check and fully restore its systems over months.1 It stressed that the attack had affected only its IT, and had not resulted in DarkSide gaining access to operational technology (OT).
In industry, the term OT covers software and hardware – e.g., supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs) – that monitor and control assets, specific equipment such as valves, events, and processes.
Gartner research suggests that 60% of companies operating critical infrastructure are only in the earliest stages of maturity when it comes to having integrated and optimized cyber security for OT and cyber-physical systems in place. These companies are aware of the risk, but are unlikely to have implemented robust solutions.2
“If pipeline companies show the same spread of maturity about OT cyber security as Gartner found among companies in general, it will likely take a significant effort for some pipeline operators to rigorously apply existing US cyber guidelines for pipeline systems,” said Jim Ness, Regional Business Manager, Cyber Security, North America at DNV.