The new rules are intended to increase major pipeline company’s defenses, but some experts argue that they are vague.
Acknowledging that the traditional voluntary approach to cybersecurity in critical industries was not working, the government has issued emergency rules to strengthen the cybersecurity of the nation’s most important energy pipelines. But industry officials and some analysts argue implementing the rules could hamper pipeline reliability, reports the Washington Post. The rules are designed to spur pipeline companies to bolster their defenses, evaluate their cybersecurity and ensure they can continue to operate even if their business networks are hacked.
Some requirements drew consensus as positive, such as developing an incident response plan and regularly testing it to assess how well it works. And for the first time, the government is mandating an annual cybersecurity audit from either the Transportation Security Administration or an independent inspector to help operators identify weaknesses as soon as possible. However, when it comes to implementation, the rules are vague in some areas, such as whether a large corporation with industrial and business systems will have to comply with the rules for all its networks or just those related to its pipelines. Other analysts warn that the rules can be overly prescriptive, calling for patching vulnerabilities when it would be more effective to identify the desired outcome of mitigating flaws and let the operator determine how best to do so. Also, requiring anti-virus scans makes sense on business systems, but on machines that actually run the pipes, they may in some cases delete critical files or cause outages.
Source: The Crime Report https://thecrimereport.org/2021/10/04/new-emergency-pipeline-cyber-regulations-are-necessary-but-could-hamper-reliability/