TSA to issue cyber directive for pipeline operators following Colonial ransomware attack

Written by

Following a ransomware attack on an artery for delivering fuel to the East Coast, the Transportation Security Administration plans to issue a security directive requiring pipeline companies to report hacks to federal authorities, according to multiple people familiar with the matter.

The Biden administration’s move to issue mandatory requirements for pipeline operators, where there has previously been only voluntary guidelines, follows the days-long shutdown of Colonial Pipeline by a cybercriminal gang known as DarkSide. Gas stations in multiple states ran low on fuel amid a rash of panic buying, and the federal government issued emergency orders to alleviate any fuel shortages.

The TSA directive, expected in the coming days, is another signal from the administration that the status quo for federal cyber requirements for critical infrastructure is untenable. President Joe Biden on May 12 signed an executive order that will require federal contractors to promptly report data breaches following the alleged Russian espionage campaign exploiting software made by one such contractor, SolarWinds.

Further details about the TSA directive, which The Washington Post was first to report on, were not immediately available. A TSA spokesperson referred questions to DHS.

“TSA, in close collaboration with [DHS’s Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems,” a DHS spokesperson said. “We will release additional details in the days ahead.”

TSA, which is part of the Department of Homeland Security, is the lead federal agency for pipeline security, and has issued occasional voluntary guidelines over the years for operators to defend their systems. However, lawmakers and analysts have long worried that TSA is short of money and personnel to get the job done.

A TSA spokesperson in May told CyberScoop that, since 2018, the agency has expanded the staff it has working on pipeline physical and cybersecurity from six to 34 people.

In the face of that criticism, CISA and the Department of Energy have since 2018 been helping TSA on a pipeline cybersecurity initiative that provides security guidelines to operators.

Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee, before which the Colonial Pipeline CEO will testify next month, welcomed the impending TSA directive. The security requirements would be “a major step in the right direction towards ensuring that pipeline operators are taking cybersecurity seriously and reporting any incidents immediately,” Thompson said in a statement.

Brian Harrell, who led physical infrastructure protection at CISA until August, said that any TSA security standards should complement existing energy industry regulations rather than duplicate them.

“While mandatory standards are helpful, they are only one tool in the toolbox,” Harrell said, adding that “compliance checklists, with minimum baseline standards, will not stop a sophisticated” cyberattack.