On Friday the Friendly Morning Pipeline Company (FMPC) filed a suit in the 14th US District Court against the Pipeline Safety, Security and Operations Office (PSSOO) over their labeling of the most recent PSSOO pipeline security directive as Sensitive Security Information. SSI is part of the sensitive but unclassified (SBU) information protection system maintained by various agencies of the US government.
The suit claims that the PSSOO’s declaring the security directive as SSI imposed an unreasonable financial burden on the pipeline company because the SSI regulations required that the company install special computer equipment at each of its offices to store the directive and all associated files in accordance with the requirements of SP 800-171. The lawsuit also alleges that the SSI requirements are an unlawful restraint of the company’s free speech rights to discuss regulatory actions of a government agency.
Michael E. Thane, spokesperson for PSSOO, told reporters this morning that the agency had no comment on the lawsuit, explaining: “It is the policy of the Federal Government to not speak to the press about on-going litigation.”
Thane did, however, confirm that the SDO2, the most recent PSSOO cybersecurity directive for pipelines was labeled as SSI. “SDO2 contains detailed cybersecurity requirements for covered pipeline owner/operators;” Thane explained; “If adversaries of the United States had access to that information, it would allow them to bypass those security controls. That could imperil the safety and security of the United States.”
Werner Bergeron, a lawyer for StormFury, an environmental activist organization, has filed a friend of the court brief on the lawsuit. In a press release issued today, Bergeron said: “It is not often that I agree with pipeline operators, but the PSSOO clearly overstepped its authority in the classification of SDO2. We are concerned that the application of the SSI label to a purely regulatory document inhibits public discussion about the appropriateness and legality of the regulatory requirements. It prevents organizations such as ours from reviewing the directive and commenting on its efficacy in protecting the environment.”
I talked with Kate Libby, spokesperson for Dragonfire Cyber. She confirmed that the company was working with a number of pipeline operators in implementing the controls outlined in SDO2. “I cannot comment on the specific requirements of SDO2 since that document is classified as SSI,” Kate told me; “But if a regulation required all covered facilities to implement two factor authentication to access control system computers, that would be insufficient information for even a nation-state actor to bypass those controls. It would require specific information on what type of 2FA was being used and which specific software tool the facility was using to implement that requirement for an exploit to be crafted. I can tell you that SDO2 does not specify specific pieces of hardware, software or firmware.”
No comments:
Post a Comment