The Transportation Security Administration (TSA) announced a cybersecurity directive for companies in the pipeline sector in an effort to better identify, defend and respond to threats, the agency said Thursday. The requirements are a response to the recent ransomware attack against Colonial Pipeline, which constrained fuel access to states along the U.S. Eastern seaboard.
The cybersecurity directive, a first for the oil and gas industry, will dictate how companies handle internal cybersecurity policies. The requirements could also serve as a model for other sectors as the government pursues a more calculated approach to threat and risk analysis with the private sector, marked by executive orders and more agency involvement.
The directive from TSA, a Department of Homeland Security agency, will require critical pipeline owners and operators to "report confirmed and potential cybersecurity incidents" to the Cybersecurity and Infrastructure Security Agency (CISA), the directive said. DHS has not yet published its final requirements.
In its initial response, Colonial only engaged with law enforcement and did not initially include CISA. CISA's Acting Director Brandon Wales said he does not believe Colonial would have contacted CISA had the FBI not tapped the agency in its early investigations during a Senate hearing earlier this month.
As part of the directive, CISA will become central to cybersecurity incident response, coordinating resources as the government formalizes interactions between agencies and the private sector.
The TSA will require companies appoint a cybersecurity coordinator, available 24/7. Within 30 days of an incident, companies are to report investigative findings and remediation efforts to the TSA and CISA. "TSA is also considering follow-on mandatory measures that will further support the pipeline industry," in an attempt to strengthen the public-private partnership, the announcement said.
The TSA oversees the physical security of pipelines because they transport fuel, gas and chemicals, a responsibility given to the agency in 2002. Physical security and cybersecurity began to blur the lines of safety, but the agency has been slow to update its current voluntary guidelines.
"Since the TSA requirements focused more on physical security of the pipelines, enforceable compliance mandates lacked many of the specific evolving cybersecurity requirements needed to stay current," said Chris Strand, chief compliance officer of IntSights and energy and gas cybersecurity regulation advisor.
Cybersecurity standards in critical infrastructure vary from sector to sector. While the North American Electric Reliability Corporation (NERC) dictates compliance standards, the oil and gas industry has fewer cyber-related mandates. Oil and gas pipelines "do not fall under the same scrutiny as the energy sector … it may take some time to determine the risk of continuing operations during an active attack rather than shut down," Strand said.
Staying inside the TSA lane
The Biden administration published its cybersecurity executive order earlier this month with a plea for better information sharing.
Yet, it's a matter of overcoming hesitancy to talk to the government, said Chris Cummiskey, CEO of Cummiskey Strategic Solutions and former under secretary for management at DHS, during a webcast hosted by Seyfarth Wednesday. Companies like SolarWinds and Colonial "may call the FBI, but it doesn't make it to CISA at DHS until several days later."
The federal government needs "a structure in place that allows for that to be more methodical so that we don't act like every incident is the first incident," said Cummiskey. The current interdepencies companies have with their respective regulatory agencies is "not particularly nimble."
The voluntary guidelines industry was accustomed to lacked a cybersecurity framework to measure implemented controls. "It was probably a difference of priorities on the safety of the critical infrastructure as opposed to a purposeful lack of attention to the guidelines," said Strand.
Based on his experience, Strand said the TSA's focus remained on what it was mandated to protect: modes of transportation working in an operational technology (OT) environment.
Companies in this industry are accustomed to existing standards and frameworks they are required to follow, though Strand expects the security directive will "definitely create some scrambling and resentment" as they comply.
"From everything that I understand about this incident, the pipeline itself was shut down, and all of this disruption was caused, because the company was confused about what it should do with the pipeline," said Kate Fazzini, CEO of Flore Albo, during the panel. "They shut the pipeline down because they didn't know how to respond to the incident. That tells me that we are unprepared for many things."
Fazzini has struggled to see significant improvements since the Obama administration's critical infrastructure cybersecurity executive order in 2013. "After the colonial pipeline hack, I really question whether that has done very much," she said.
Correction: This article has been updated to reflect the mandatory nature of security directives.