TSA formally directs pipeline companies to report cybersecurity incidents in wake of Colonial attack

The Transportation Security Administration (TSA) will formally issue a security directive Thursday to strengthen federal cybersecurity oversight of pipelines, weeks after a ransomware attack on Colonial Pipeline led to fuel shortages in multiple states. 

The directive, set to be released two days after The Washington Post first reported on its existence, will require pipeline companies to report cybersecurity incidents within 12 hours of them occurring to the Cybersecurity and Infrastructure Security Agency (CISA). Both CISA and TSA are part of the Department of Homeland Security (DHS). 

The directive will also require pipeline owners and operators to designate an individual who is available 24/7 to coordinate with officials at both TSA and CISA in the event of a cyber incident, and for owners and operators to carry out assessments of existing cybersecurity practices to identify potential gaps and report their findings to TSA and CISA within 30 days. 

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” DHS Secretary Alejandro Mayorkas said in a statement on Thursday. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

A DHS official told reporters Wednesday night that the directive applied to around 100 critical pipelines across the nation, and that financial penalties would be imposed, to ramp up on a daily basis, for companies that did not comply with the directive. 

The official stressed that the directive represented “step one” and would be “followed by more” actions from the Biden administration in the future to secure pipelines against cyber threats. 

“These are important steps forward, and they should be understood as part of a broader strategic plan to ensure that the pipeline sector does what’s needed to protect against the kind of cyber incident that we saw with respect to Colonial and enable the department to better identify, prevent, and respond such kinds of events in the future,” the DHS official said. 

“You will see in the not-too-distant future this to be followed up with an additional set of rules that would require a range of actions to be taken by the sector,” the official added. 

The directive comes in the wake of the ransomware attack on Colonial Pipeline’s IT system, which forced the company to temporarily shut down its pipelines to protect operational controls. The company provides around 45 percent of the East Coast’s fuel, and the attack led to gas shortages in several states.

The FBI assessed that the attack involved the use of the “DarkSide” ransomware variant, with President Biden stating publicly that the cyber criminals were likely based in Russia, though not backed by the Russian government. 

Colonial chose to pay the hackers the equivalent of $4.4 million in Bitcoin to regain access to its systems, drawing criticism from officials and experts concerned that other cyber criminals may be tempted to launch ransomware attacks against U.S. critical infrastructure in the future. 

Federal officials cited the need for more cybersecurity standards for the pipeline sector in the wake of the attack, with other sectors such as electricity more highly regulated around cybersecurity issues. 

Mayorkas told reporters at the White House earlier this month that the administration was discussing the idea of some further oversight of pipelines following the Colonial attack. 

Energy Secretary Jennifer Granholm also recently expressed support for more federal oversight of the security of pipelines, while Federal Energy Regulatory Commission (FERC) Chairman Richard Glick and Commissioner Allison Clements earlier this month called for the establishment of “mandatory pipeline cybersecurity standards.”

“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Glick and Clements said in a joint statement. “Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

Comments are closed.