In the last year alone, the number of successful, large-scale cyber-attacks has astronomically increased (62% in the last year, to be exact), driving a rapid increase in digital transformation and pushing security teams to adapt best practices to a set of circumstances we’ve never seen before. In many cases, the quick expansion left security teams spread thin, exposing new vulnerabilities for bad actors to exploit in the process. A perfect example of this is the recent Colonial Pipeline Attack. But what does this mean for the security industry as a whole? Most recently, it means cybercentric regulation is being addressed from a federal level through the new DHS cybersecurity requirements made specifically for pipeline owners and operators.
Interested in all things regulatory research? Refer to OneTrust DataGuidance.
Understanding the impact of cybercrime on federal security
As cybercrime rates reach an all-time high, the criticality of the security industry becomes more and more evident. With a cyber landscape that’s ever-changing, thorough and consistent execution of protective measures is vital in maintaining secure cyberinfrastructure throughout a country. How can we do that if cyber-attacks are reaching an all-time high? Establishing regulation from a federal level is a pivotal place to start. Let’s dive into the new DHS regulation:
What is the new directive, and who does it affect?
On May 27, 2021 the US Department of Homeland Security announced new cybersecurity requirements for critical pipeline owners and operators. The directive is a response to the Colonial Pipeline attack that took place in early May, ultimately showcasing the impact that a major pipeline breach can have on both a country’s security structure and day-to-day civilian life. As of its release, the directive outlines the following requirements for pipeline owners and operators:
- Owners and operators must report confirmed and potential cybersecurity incidents.
- Owners and operators must designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week.
- Owners and operators must review current practices to identify and remediate gaps related to cyber risk and report all findings to both TSA and CISA within 30 days.
The regulation highlights a major shift in the treatment of critical pipeline owners by the US Government. With the new regulation in place, we can draw similarities between the roles that other critical US infrastructure play and the role of oil and gas on the US economy and security as a whole.
Learn more about the regulation through OneTrust DataGuidance: USA: DHS announces Security Directive for critical pipeline sector
Why is the involvement of the federal government crucial to cyber regulation?
Over the last year, there has been one consistent trend in security: a continually evolving threat landscape. Global cybersecurity spending is projected to exceed $1 Trillion this year, and the cost of a successful breach ranges from $1 Million to $500 million for a company. Unfortunately, the effect of attacks goes far beyond the fiscal impact on a company. Often, it involves putting civilians at risk of having their data compromised or has a broader economic effect on the community as a whole.
The impact of security: It goes beyond the enterprise
The recent pipeline attack showcased the importance of the oil and gas industry to the US infrastructure, as well as the large-scale security risk associated with it. The Colonial Pipeline, owned by Colonial Pipeline Co., is the largest oil pipeline on the East Coast, operating over 5,500 miles (about twice the width of the United States) and providing 45% of fuel to the area. The recent hack exposed supply chain vulnerabilities for thousands of companies reliant on oil and shut down fuel supply to the entire eastern region of the country for multiple days, highlighting the ripple effects that a major breach can have on both enterprises and broader communities.
“The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
– Alejandro N. Mayorkas, Secretary of Homeland Security, DHS Cybersecurity Announcement
Understand your risk: Building the Future of Risk Management OneTrust GRC See What’s Next
What does this mean for me?
In the wake of major breaches, companies worldwide are directly responsible for conducting thorough due diligence. Part of this due diligence is making sure that your organization has a holistic view of its security posture, including its vendor ecosystem and any gaps that it presents. Additionally, it means that your organization needs to have a contingency plan in place to help alleviate any interruption caused by a breach – even if it is one that targets a third party rather than your direct organization. This will enable you to act fast and alleviate any additional damage to your company, clients, vendors, and the broader community.
Learn more about managing vendor risk: Expert Panel: How Do You Manage Vendor Risk?
Additionally, TSA is considering adding additional measures to directly support the pipeline industry in improving its cybersecurity by integrating more robust public-private partnerships surrounding critical US infrastructure. This follows in suit of President Biden’s Cybersecurity Executive Order, released in early May, suggesting that cyber regulation at a federal level will continue to become more robust as time goes on.
Register for the webinar: US Cybersecurity Executive Order: How It Will Impact Your Vendor Risk Strategy
How can OneTrust help?
The OneTrust platform leverages expertise in Vendor Risk Management, Privacy, GRC, and many other categories to deliver an immersive cybersecurity management experience. We enable you to gain visibility into all aspects of your organization’s security structure, allowing you to holistically protect both your customers and data.
Explore OneTrust: Request a demo today.
Further new DHS cybersecurity regulation reading:
- DataGuidance Reading: USA: DHS announces Security Directive for critical pipeline sector
- DHS Announcement: DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
Next steps on new DHS cybersecurity regulation:
- Learn more about OneTrust’s platform: Request a Demo: Request a demo today
- Learn how OneTrust’s solutions have helped energy industry clients across the globe: Cemig Operationalizes LGPD and Privacy Program with OneTrust