Reflecting the shifting political winds since the Colonial Pipeline shutdown, the Transportation Security Administration (TSA) on May 27 announced a directive for “critical” pipelines to take some basic cybersecurity measures, such as disclosing cyber incidents to the government, designating a cybersecurity coordinator and reporting on cybersecurity preparedness within 30 days.
The directive does not explain what TSA considers “critical” pipeline facilities, though Department of Homeland Security (DHS) officials have said the directive is the first step in a multipronged effort to enhance pipeline security following the Colonial Pipeline incident. Additional measures are expected beyond the incident disclosures and preparedness reporting, but the timing of those next steps is not known.
“TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland,” TSA said.
Distinguishing “critical” pipelines from others likely reflects the fallout from shutting down Colonial, which is a major transporter of gasoline and refined fuel products to large cities along the East Coast. When Colonial shut down its system following a cybersecurity breach and ransomware attack, gas stations in several cities in the Southeast ran out of fuel and government agencies were scrambling to ensure consumers could gain access to fuel through different means.
In the aftermath of the Colonial incident, the White House issued an executive order on cybersecurity standards for federal agencies that includes a playbook for responding to cyber incidents, creation of a Cybersecurity Safety Review Board and a requirement that information technology (IT) providers share certain breach information that could affect government networks and enable more effective defenses of federal agencies. Biden administration officials said that the executive order was in the works in the first month of Biden taking office, and was not solely in response to the Colonial incident.
Pipeline owners have been resistant to federal mandatory cybersecurity standards, with the American Gas Association (AGA), Interstate Natural Gas Association of America (INGAA) and Association of Oil Pipe Lines (AOPL) pointing out effective measures in place and issuing statements that mandatory standards are not a panacea. Current security guidelines are better than a mandatory regulatory structure because mandatory measures would become outdated as hackers and technology gains would make them obsolete, pipeline groups have said.
However, AGA’s board of directors on May 18 approved a resolution to support reasonable cybersecurity regulations, which it defined as allowing a risk-based methodology, permitting pipeline owners to have flexibility to adapt to evolving cyber threats and aligning with natural gas industry cybersecurity guidelines.
In a May 27 statement responding to the TSA directive, AGA expressed support for the measure. “TSA is headed in the right direction and we look forward to identifying concrete measures to bolster our common mission of pipeline security and public safety,” said Kimberly Denbow, managing director of security and operations at AGA.
INGAA is committed to collaborating with TSA and CISA to implement the new directive, a spokesperson for the group said. “As TSA’s pipeline cybersecurity program evolves in the coming months, it must be nimble enough to adapt to the continually changing threats to our nation’s critical infrastructure. This will require leveraging government-industry partnership to identify and implement opportunities to further enhance our cybersecurity protections and timely two-way information sharing of actionable threats,” the INGAA spokesperson said.
AOPL did not have an immediate reaction to the TSA announcement at press time May 28.
The TSA directive calls on “critical” pipeline owners to disclose confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), which like TSA is part of DHS. Those pipeline owners are to designate a cybersecurity coordinator to be available 24 hours a day, seven days a week, and review their current practices to identify any gaps in addressing cyber-related risks. Those pipeline owners are to report the results to TSA and CISA within 30 days.
Media reports indicated that companies who fail to cyber incidents to CISA would be subject to financial penalties starting at $7,000/daily, but that is not outlined in the directive announcement. The reporting requirement marks a change from the current guidelines and cybersecurity framework that was established by the National Institute of Standards and Technology to help reduce cyber risks.
The ransomware attack on Colonial demonstrates that the cybersecurity of pipelines is critical to homeland security of the U.S., said Secretary of Homeland Security Alejandro Mayorkas. “DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure,” Mayorkas said in a statement.
FERC Chairman Richard Glick has been among those calling for increased security of the pipeline sector and questioning whether TSA is the best agency to handle those responsibilities. He penned an OpEd with Commissioner Neil Chatterjee in 2018 laying out that view and issued a joint statement with Commissioner Allison Clements May 10. That joint statement says mandatory reliability standards are needed for the nearly 3 million miles of natural gas, oil and hazardous liquids pipelines in the U.S.
Republican and Democrat members in Congress have issued similar statements, with some Republicans assessing blame on the Biden administration for not doing more to protect critical infrastructure and Democrats noting that TSA and the voluntary nature of safety standards presents a vulnerability that should be fixed.
By Tom Tiernan firstname.lastname@example.org