TSA cyber requirements would fine pipeline operators for lax security practices
The Transportation Security Administration will for the first time require pipeline operators to meet mandatory cybersecurity requirements in the wake of a ransomware attack that caused a days-long shutdown of the main artery for delivery fuel to the East Coast.
The TSA security directive, expected to be released Thursday, requires certain pipeline operators to report hacking incidents to the Department of Homeland Security’s cybersecurity agency within 12 hours of detection, and would levy fines starting at approximately $7,000 on operators for failing to comply with security guidelines, department officials told reporters in a call.
DHS officials estimate that the requirements will apply to roughly 100 pipeline companies, including some of the country’s largest operators.
The rules signal a shift to the traditional federal approach to pipeline security, which for years has rested on voluntary guidelines that critics said fell short of meeting the threat. A DHS official said the update is “part of a broader strategic plan” meant to protect the pipeline sector that will include additional future security requirements.
The new directive also requires pipeline operators to designate an executive to be available at all hours of the day to coordinate with DHS officials in the event of a cybersecurity incident, the officials said. The regulations also give pipeline operators 30 days to assess whether their security practices meet federal guidance and to identify weak points that need addressing.
Among the cybersecurity incidents that pipeline operators are required to report are instances of malicious software compromising the pipeline operator’s IT systems, or the more sensitive “operational technology” systems that interact with machinery. In addition, the directive forces pipeline companies to report “activity resulting in a denial of service” to any IT or OT system. Included in the reports should be any available information on malicious infrastructure used by a hacker.
The shutdown of the 5,500 miles of Colonial Pipeline, which delivers 45% of the fuel consumed on the East Coast, has made pipeline cybersecurity a tangible issue for bureaucrats and everyday citizens alike.
Federal agencies issued emergency orders to alleviate concerns over shortages at gas stations in multiple states as Americans hoarded fuel. Lawmakers also revived longstanding concerns that TSA, which is the lead federal agency on pipeline security, did not have enough resources to address the challenge.
A 2018 audit from the Government Accountability Office, for instance, found that TSA’s pipeline cybersecurity work was inadequate and lacked “lack clear definitions to ensure that pipeline operators identify their critical facilities.”
TSA said in a recent statement it had implemented seven of GAO’s 10 recommendations for bolstering pipeline security, which included things like improving the agency’s methods for assessing risks to existing infrastructure.
“What we also learned from [the Colonial Pipeline hack] is how quickly this morphed from the initial cyber incident into an incident that required a broader across-the-government effort to mitigate the impact of that specific ransomware attack,” a second DHS official said during the media briefing.
Current and former U.S. officials say that improving cybersecurity practices in the pipeline sector will be an iterative process.
“While the first step is certainly to work on reporting requirements, we have to focus on incentives that will drive long-term resilience for critical infrastructure that underpins continuity of our economy,” said Nick Andersen, who was a senior Department of Energy cybersecurity official until January.
“That will include reasonable cyber standards for pipeline owners and operators, but we also have to address the right government coordinating mechanisms to ensure that agencies with the history of working collaboratively with these entities can continue to do so without being hamstrung by a bureaucratic system that constrains critical infrastructure owners from openly collaborating,” Andersen added.
UPDATED, 11:53 a.m. EDT: This story has been updated with additional details on the TSA directive and a link to the text of the directive.