Department Of Homeland Security’s Cybersecurity Requirements For Pipeline Owners And Operators

On Friday, May 7, 2021, Colonial Pipeline fell victim to a cyberattack that resounded throughout the pipeline owners and operators industry, resulting in the Department of Homeland Security (DHS) issuing two directives in response to the threat. The Colonial Pipeline cyberattack forced the company to proactively close down operations and disable IT systems. The perpetrators targeted the business side of the pipeline rather than operational systems as the motive was monetary rather than meant to halt pipeline activities.[1] Colonial Pipeline leadership made the difficult decision to cease the operations systems as well as the internal IT systems for purposes of protecting this critical infrastructure from possible compromise.

The shutdown of operations resulted in gasoline shortages from Texas through the Southeast, up the Eastern seaboard and through New Jersey. This type of disturbance in the supply chain was considered a threat to our national security.

Therefore, on May 27, 2021, DHS issued an initial cybersecurity requirement (“initial security directive” or “Security Directive”) for critical pipeline owners and operators: “The Security Directive [required] critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week.  It also require[d] critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.”[2]

On July 20, 2021, after further review of this Security Directive, DHS’ Transportation Security Administration (TSA) issued a second Security Directive that requires “…operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.”[3]

The TSA has stated: “[T]his Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”

The challenging aspects of the second Security Directive, which builds on the initial Security Directive, are (1) the level of detail of the requirements, and (2) the strict timeframes that are imposed on each of the approximately fifty provisions outlined within the requirements. The timeframes range from 30-120 days for completion of specific criteria.

Additionally, further challenges will now require pipeline owners and operators to focus not only on their internal information technology systems, but also to pay particular attention to their operational technology systems when putting together mitigation measures to protect this portion of U.S. critical infrastructure. Having two systems, internal and operational—or client-facing systems—mirrors the telecommunications industry where each service provider has requirements to protect their internal systems along with those that support the Domestic Communications Infrastructure, or “DCI”.

Mitigations measures that can be considered by pipeline owners and operators include the following:

  • Overall plans for continuous monitoring of internal and operational systems.
  • Dedicated resources to communicate with members of DHS.
  • Annual independent third-party audits of physical and logical security controls.
  • Consideration for independent third-party monitorships who have the resources and expertise in information system infrastructure, security resiliency and working relationships with U.S. governmental agencies.

Knowing and understanding the most current DHS expectations can go a long way in facilitating compliance with the TSA second Security Directive for pipeline owners and operators.


[1] https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/

[2] https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators

[3] https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators

Enhancing Your Nonprofit Organization In A New World Norm

By Vivian Gant

During the height of the COVID-19 pandemic, the future was still very uncertain. Many nonprofits found themselves applying for government assistance, such as Paycheck Protection Program (PPP) loans, as they braced for continued negative financial impacts. Although the road ahead is still not completely clear, organizations are now looking to the future and considering how to ensure they are set up for success in both the near and long term.

For some organizations, this includes facing a very different challenge: considering how to use a surplus of funds, many of which came from an increase in contributions amid the pandemic as donors looked to support nonprofits’ missions. This leads to a completely different set of questions about how to maximize this advantageous position. The post-pandemic landscape is an opportune time for nonprofits to use these extra funds to re-invest not only in their organization but also their people and, ultimately, their mission.

Although there are a number of ways for nonprofit organizations to reinvest for growth, they should consider focusing on the following:

Enhance Cybersecurity

With cyberattacks on the rise, it has never been more critical for nonprofits to ensure they – and their information – are protected. Nonprofits have access to sensitive donor data, which can make them a target. Organizations should consult with experts to study their current security environment, locate vulnerabilities and make recommendations for improvements. These organizations can then upgrade their current security in order to reduce the chances of an attack, which can lead to diminished trust with donors and stakeholders.

Strengthen Tech Capabilities
As the pandemic taught us, technology helps us stay connected. Nonprofits can use this time to reassess the tools they have in place, those they added amid the pandemic and those they need for future success. Investing in tools that will allow the organization to operate in a hybrid work model, communicate with donors when they can’t be face to face and streamline internal operations will foster better communication and strengthen relationships. The connected workplace that became commonplace amid COVID-19 is not likely to go away anytime soon – in fact, nonprofit leaders should only expect to see an increase in digital tools moving forward. Investing soon and doing so strategically will ensure nonprofits are not left behind in a technology-first future.

Improve Internal Infrastructure

Enterprise resource planning (ERP) systems have come a long way. Nonprofits can reinvest in the organization by updating their current ERP systems, which can be used to manage day-to-day activities and streamline their internal processes. Upgrading to the latest ERP technology can assist not only with fundraising activities, but also with event management, online payment processing for donors, marketing efforts and more.  ERP systems can typically also automate back-office functions, which can help to eliminate redundancies in the organization’s overall operations, helping it to stay focused on its mission.

Establish a Board-Designated Endowment

Another way nonprofits can utilize excess funds is to set up a board-designated endowment. This allows nonprofit boards to set aside funds specifically for board initiatives.

These funds can be invested with a trusted financial institution. To do so, the board should create an investment policy that outlines how the funds are to be invested and establishes what these funds are to be used for – which should align with the organization’s mission.

Invest in Human Capital

The pandemic was a trying time for employees. Compensation increases were likely limited during 2020 as nonprofits attempted to cut costs and save for the unknown, and a lack of in-person interaction left little room for team bonding or training opportunities. Investing in programs or events that promote team bonding or providing opportunities for ongoing education can help make employees feel valued and build trust and goodwill between leadership and staff.

In these unique times, nonprofits should be creative in ways that will help not only their mission but also their workforce. Financial decisions made by nonprofits during this time will likely have lasting effects for years to come, so thinking ahead about how to reinvest in your organization is key.

This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” Blog (July 8, 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com



7 Actionable Steps to Reducing Cyber Vulnerabilities

Cybersecurity breaches are in the news daily, and as forensic investigation and incident response practitioners, we have seen several common themes among victim companies. Attackers often pass over larger companies with robust cybersecurity measures and instead prey upon small to mid-sized businesses that are softer targets with weaker security postures. These seven steps to reducing your cyberattack surfaces will help to strengthen your defenses.

  1. Raise Cybersecurity Awareness and Hold Employees Accountable

    The weakest link in any cybersecurity program is the human workforce operating within it. Phishing attacks–in which users are tricked or deceived into opening an unsafe email attachment or visiting a fraudulent website–are among the strongest weapons in an attacker’s arsenal because they work against people, not software. Institute a regular cybersecurity awareness program that includes not only instruction but also random testing throughout the year. Repeated failures of such random testing should be considered a notable area for improvement for employee progression. If your company lacks the resources or abilities to perform such training, several outsourced providers have these training and awareness platforms at the ready.
  2. Use Strong Passwords and Password Managers

    An attack known as “credential stuffing” is extremely effective at helping attackers gain access to multiple systems at once by taking valid username and password combinations (called “credentials”) stolen from one computer system or website and trying them against others such as corporate logins, online banking, and more. As people often reuse passwords across platforms to make remembering passwords easier, this also leaves systems—including the computers and accounts they use for work—vulnerable to compromise.

    To combat credential stuffing, an organization’s best defense today is the combination of strong passwords (long passwords with a mix of capital letters, lower case letters, numbers, and symbols) and password managers—secure programs designed to generate strong passwords and store them for easy recall, to make using unique strong passwords on every account and website easy. This also assists with “corporate memory” of shared or administrative passwords, as particular entries can be made accessible to a certain group of users. Password managers such as 1Password, LastPass, and Dashlane also have web browser extensions that make it extremely easy to have a different strong password for each website visited. They often also have the capability to provide for personal and professional password vaults to ensure that users have a common experience to improve the likelihood that they will adhere to using a password manager and not using only “password123.”
  3. Patch and Update Regularly

    Software developers—including those who write operating systems, office platforms, and even security software—are human, and bugs or vulnerabilities can exist in even the most secure computing platforms. As these issues are discovered, software manufacturers will fix and release new versions of these products. It’s critical that you have a regular cadence for updating the operating systems, applications, and security tools that your company depends upon. When responding to incidents, it’s not uncommon for responders to find several “critical” systems to an organization that are running on long outdated and unsupported versions of Windows or Linux servers. Outdated and unsupported operating systems often have several vulnerabilities and wide-open attack surfaces which serve as open doors for attackers.

    Needless to say, always make sure your organization’s antivirus (you do have an organization-wide antivirus in place already, yes?) is regularly updated to receive the freshest definitions and algorithms, but remember, antivirus only helps with malware-based attacks.
  4. Tighten Existing Controls

    In nearly every operating system, network, file system, and application, user accounts have varying degrees of permissions to accomplish tasks or access data. Administrators tend to have the most and standard users tend to have the least. Ensure that each user account, including system accounts used for handling automated tasks, has the amount of authority and permissions necessary to complete the job at hand—but no more. For example, while a company’s CEO might drive the policy and agenda for the entire organization, he or she doesn’t necessarily need access to detailed engineering plans or code repositories; they won’t use that data as a course of normal business, but it expands their attack surface tremendously and increases the potential for a catastrophic breach should their credentials be compromised by clicking on a nefarious link in an email message.
  5. Use Two-Factor Authentication Whenever Possible

    Operating systems, application platforms (such as Microsoft’s Office 365), and many websites provide enhanced security and authentication through “two-factor authentication.” Two-factor authentication often combines something you know (such as a password) with something you have (such as a one-time randomized key) to authorize credentials. At a minimum, two-factor authentication should be a requirement for any Office 365 Administrator account, and it’s no less recommended for standard user accounts as well.

    Two-factor authentication is often accomplished through a program that runs on one’s mobile phone, providing “one time passcodes” that rotate every thirty seconds with a unique number that will provide an additional verification your user credentials. Common two-factor authentication programs include Google Authenticator, Authy, and Microsoft Authenticator, and many password manager programs also can generate authentication passcodes as well.
  6. Have an Incident Response Plan, Even Minimally

    Due to the growth in cyberattacks and cybercrime, organizations are beginning to understand that it isn’t about if they’ll face a data breach, but when. As a result, the difference between catastrophic organizational damage and cyber resiliency can be the manner and speed in which an organization responds to a breach when it happens, along with the programs, procedures, and processes in place beforehand to best position the organization for recovery.

    While a full incident response plan with trained, dedicated staff at the ready is great, this is definitely an area where perfect shouldn’t be the enemy of good. Critical days or even weeks can be lost after a breach while a company looks for an incident response contractor, negotiates contracts (at panic pricing), and waits for the contractor to begin their response in an unfamiliar network belonging to an unfamiliar company. When you don’t have an active incident is the time to contract with an incident response and/or managed security services firm, because you can set fair pricing, reasonable retainers, and the contractor will have time to learn what’s “normal” in your company and network before a crisis happens. Even if your plan is to “call our account rep at our incident response contractor,” that can be enough to stop a security incident from becoming a security breach.
  7. Encrypt Data at Rest and In Transit

    Most desktop and server operating systems can encrypt the contents of their hard drives right out of the box. From a single user’s laptop to the information stored in your corporate-wide databases, encryption should be the standard, not the exception. Before a computing device is provided to an employee, activate the on-board disk encryption to reduce exposure to loss or theft, and ensure that your cloud computing platforms, corporate databases, and email servers are also covered by their encryption capabilities. Emergency decryption keys can be stored within the safety of your password manager for cases when an employee leaves suddenly, but not providing encryption on that employee’s laptop can be a disaster if it’s lost or stolen in an airport café.

    Speaking of travel, when employees are on the road, they should connect to the Internet through a Virtual Private Network (VPN), preferably one provided by and running through the corporate network to maintain control and assure data security. Open Wi-Fi access points may be a boon to travelers, but they’re also a goldmine for data thieves who may listen-in on unencrypted connections. In a pinch, commercial VPN services are also available on an individual basis, and computing enthusiasts can set-up their own using open-source platforms such as AlgoVPN for the price of a cup of coffee.

In summary, while there is no one end-all, be-all to cybersecurity, there are a number of simple, practical steps that organizations can take to dramatically improve their cybersecurity posture. Many of these options are free or come with the software you’ve already purchased. Others, while they do charge a fee, cost significantly less than the amounts associated with a data breach in loss of customer confidence, loss of intellectual property, incident response costs, fines, penalties, legal fees, and more. Cybersecurity should be another risk that needs to be quantified, monitored, and managed by your C-suite and Board, and policies must be drafted and enforced accordingly.