- Since the Transportation Security Administration (TSA) announced two pipeline-specific cybersecurity directives in May, pipeline operators have voiced concerns about aggressive timelines and impacts on safety if major equipment changes become necessary, according to TSA Administrator David Pekoske, during a Senate hearing Tuesday.
- The TSA will allow pipeline companies to submit alternative procedures in response to the cybersecurity requirements, Pekoske said, per the second directive, issued July 20. "We review those requests relatively quickly, and get back to the operator. So there is some flexibility built in."
- However, the TSA does not have everything it needs to deal with cybersecurity incidents, Pekoske said. Currently the agency has 39 employees dedicated to pipeline security, in addition to inspectors. In May, the Department of Homeland Security announced a cybersecurity hiring sprint, which added 10 cybersecurity professionals to the TSA.
The TSA has been pushing for cybersecurity modernization following the Colonial Pipeline ransomware attack in May. "I'm happy to tell you that we had 100% response from the critical pipeline security operators identified in the first security directive," Pekoske said. The TSA initially gave pipeline owners and operators a 30-day timeline to submit gaps in their cybersecurity posture in the May directive.
The TSA did not make the requirements public, they are only available to pipeline owners and operators. If compliance is not reached, companies could be subjected to civil penalties. While TSA will not make the raw data submitted by pipeline owners and operators public to protect discovered vulnerabilities, the TSA intends to release summary data.
Companies running pipelines are, for the first time, working under required cybersecurity measures. Speaking with pipeline owners based in Tennessee, "they say that the directive could require them to replace thousands of pieces of equipment all over the country. Not only would it be expensive, take a long time, [but] supply chain shortages are an issue," Sen. Marsha Blackburn, R-Tenn., said during the hearing.
Pekoske, however, confirmed that many of the directives' cybersecurity procedures are rooted in basic cybersecurity hygiene, not necessarily lengthy digital transformation efforts.
Cybercriminals' points of entry tend to capitalize on "fairly basic" issues, said Polly Trottenberg, deputy secretary of the Department of Transportation, during the hearing. For example, Colonial was hacked through an outdated VPN profile, which lacked multifactor authentication.
"I often think about if that $4.4 million had been invested upfront in [Colonial's] system, what could have been done with that fund," Pekoske said.
For companies that find certain requirements unfeasible, the TSA wants them to contact the agency directly. From there, the TSA and pipeline operator could produce an alternative solution.
"It's not a varying degree of security, it's a security standard. There are different ways to get to it," Pekoske said.
As the TSA works through providing cybersecurity recommendations and requirements for pipelines, the agency's internal cybersecurity practices are under scrutiny, too. The Government Accountability Office (GAO) published a study Tuesday, reiterating weaknesses found in the TSA's pipeline security oversight and guidance between 2018 and 2019. The TSA still has two lingering cybersecurity weaknesses:
- The TSA has incomplete information for pipeline risk assessments for pipeline threats, vulnerabilities and consequences. The GAO wants to see the TSA collect more information outside of submitted data from pipeline operators, said Leslie Gordon, acting director of Homeland Security and Justice within the GAO, during the hearing.
- Though the TSA has made progress in completing the recommendation regarding updating its 2010 Pipeline Security and Incident Recovery Protocol Plan, the GAO is waiting on the agency to modernize "aged protocols" for responding to pipeline-related cybersecurity incidents.
"Just because a recommendation is outstanding does not mean we haven't done substantial work towards it," Pekoske said, and the TSA had "as full and complete data as we could at the time we issued the security directive." The TSA's reasoning for this was the timeliness of remediatiating risks in light of an emergency.