Written by Sean Lyngaas
The Transportation Security Administration will for the first time require pipeline operators to meet mandatory cybersecurity requirements in the wake of a ransomware attack that caused a days-long shutdown of the main artery for delivery fuel to the East Coast.
The TSA security directive, expected to be released Thursday, requires certain pipeline operators to report hacking incidents to the Department of Homeland Security’s cybersecurity agency within 12 hours, and would levy fines starting at approximately $7,000 on operators for failing to comply with security guidelines, department officials told reporters in a call.
DHS officials estimate that the requirements will apply to roughly 100 pipeline companies, including some of the country’s largest operators.
The rules signal a shift to the traditional federal approach to pipeline security, which for years has rested on voluntary guidelines that critics said fell short of meeting the threat. A DHS official said the update is “part of a broader strategic plan” meant to protect the pipeline sector that will include additional future security requirements.
The new directive also requires pipeline operators to designate an executive to be available at all hours of the day to coordinate with DHS officials in the event of a cybersecurity incident, the officials said. The regulations also give pipeline operators 30 days to assess whether their security practices meet federal guidance and to identify weak points that need addressing.
The shutdown of the 5,500 miles of Colonial Pipeline, which delivers 45% of the fuel consumed on the East Coast, has made pipeline cybersecurity a tangible issue for bureaucrats and everyday citizens alike.
Federal agencies issued emergency orders to alleviate concerns over shortages at gas stations in multiple states as Americans hoarded fuel. Lawmakers also revived longstanding concerns that TSA, which is the lead federal agency on pipeline security, did not have enough resources to address the challenge.
A 2018 audit from the Government Accountability Office, for instance, found that TSA’s pipeline cybersecurity work was inadequate and lacked “lack clear definitions to ensure that pipeline operators identify their critical facilities.”
TSA said in a recent statement it had implemented seven of GAO’s 10 recommendations for bolstering pipeline security, which included things like improving the agency’s methods for assessing risks to existing infrastructure.
“What we also learned from [the Colonial Pipeline hack] is how quickly this morphed from the initial cyber incident into an incident that required a broader across-the-government effort to mitigate the impact of that specific ransomware attack,” a second DHS official said during the media briefing.
Current and former U.S. officials say that improving cybersecurity practices in the pipeline sector will be an iterative process.
“While the first step is certainly to work on reporting requirements, we have to focus on incentives that will drive long-term resilience for critical infrastructure that underpins continuity of our economy,” said Nick Andersen, who was a senior Department of Energy cybersecurity official until January.
“That will include reasonable cyber standards for pipeline owners and operators, but we also have to address the right government coordinating mechanisms to ensure that agencies with the history of working collaboratively with these entities can continue to do so without being hamstrung by a bureaucratic system that constrains critical infrastructure owners from openly collaborating,” Andersen added.