Colonial Pipeline attack spurs new rules for critical infrastructure

Colonial Pipeline attack spurs new rules for critical infrastructure

Following a devastating cyberattack on the Colonial Pipeline, the Transportation Security Administration—which sits within the government’s Department of Homeland Security—will issue its first-ever cybersecurity directive for pipeline companies in the United States, according to exclusive reporting from The Washington Post.

The directives are expected to arrive within the week and will require pipeline companies in the US to report any cyberattacks they suffer to the TSA and the Cybersecurity Infrastructure and Security Agency. Such attacks will be reported by newly designated “cyber officials” to be named by every pipeline company, who will be required to have 24/7 access to the government agencies, The Washington Post reported. Companies that refuse to comply with the directives will face penalties.

The regulations represent a tidal shift in how the TSA has protected pipeline security in the country for more than a decade. Though the government agency has for 20 years been tasked with protecting flight safety in the country, the new cybersecurity directives fall under the agency’s purview following a government restructuring after the attacks on September 11, 2001. More than a decade after the attacks, the agency leaned on voluntary collaboration with private pipeline companies for cybersecurity protection, sometimes offering to perform external reviews of a company’s networks and protocols. Sometimes, the Washington Post reported, those offers were declined.

But after the ransomware group Darkside attacked the East Coast oil and gas supplier Colonial Pipeline, which led to an 11-day shut-down and gas shortages in the Eastern US, it appears that the federal government is no longer satisfied with private industry’s lagging cybersecurity protections. Already, President Joe Biden has signed an Executive Order to place new restrictions on software companies that sell their products to the federal government. Those rules were reportedly refined after the Colonial Pipeline attack, and are expected to become an industry norm as more technology companies vie to include the government as a major customer.

The TSA’s new rules for pipeline companies fall into the same trend.

In speaking with The Washington Post, Department of Homeland Security spokeswoman Sarah Peck said:

“The Biden administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

Though the first directive from TSA is expected this week, follow-on directives could come later. Those directives are reported to include more detailed rules on how pipeline companies protect their own networks and computers against a potential cyberattack, along with guidance on how to respond to cyberattacks after they’ve happened. Further, pipeline companies will be forced to assess their own cybersecurity against a set of industry standards. These directives, like the one expected this week, will also be mandatory, but one expected, voluntary guidance from TSA will be whether a pipeline company must actually fix any issues it finds from a required cybersecurity assessment.

The new rules will bring the private pipeline industry into a small group of regulated sectors of US infrastructure, including bulk electric power grids and nuclear plants. These sectors are the outliers in US infrastructure, as most components—including water dams and wastewater plants—have no mandatory cybersecurity protections.

Several hurdles remain for the TSA’s rules to be effective, including a dearth of staff at the agency itself. According to The Washington Post, the TSA’s pipeline security division had just one staff member in 2014, and according to testimony in 2019, that number had grown to only five. To assuage the problem, the Department of Homeland Security is expected to hire 16 more employees at TSA and 100 more employees at CISA.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.