No products in the cart.
In addition, some legislators from both parties have proposed removing control of pipeline security from TSA, a branch of the Department of Homeland Security whose primary role is to prevent terrorist attacks on commercial aircraft.
The cyberattack on Colonial, first announced May 7, caused the Georgia-based company to shut down the 5,500-mile pipeline that supplies much of the east coast’s gasoline, diesel and jet fuel, causing hoarding and widespread use Fuel shortage resulted.
“The ransomware attack on the Colonial Pipeline was a powerful reminder of why we must take these steps,” a senior DHS official told reporters during a briefing Wednesday.
Under the new rule, pipeline operators have 12 hours to report cyber incidents to the DHS Cybersecurity and Infrastructure Security Agency, which works with TSA on pipeline security. Within 30 days, they must also assess how their cybersecurity practices align with existing TSA guidelines and develop plans to address any loopholes.
TSA can impose daily penalties on companies that fail to comply.
Operators must also appoint a senior cyber employee who will communicate with TSA and CISA around the clock.
TSA plans to issue a second pipeline cyber policy with more stringent requirements in the coming weeks, the Washington Post reported.
“This is the first step in the immediate aftermath of the Colonial Pipeline incident and will be followed by others,” said a senior DHS official.
The new incident reporting requirement is designed to ensure that government cyber defenders understand the nature and scope of digital attacks in order to prevent further intrusion. Although Colonial alerted the FBI after discovering it had been hit by a blackmail attack called ransomware, it didn’t provide technical data to CISA until a few days later. The company also failed to tell CISA that it paid a multi-million dollar ransom to regain access to its data.
The colonial hack exposed the shortcomings of the federal government’s current approach to defending critical infrastructure. Few of the 16 infrastructure sectors managed by a cluster of different federal agencies face mandatory cyber requirements.
Additionally, some of the agencies responsible for overseeing infrastructure, including the TSA and the Environmental Protection Agency, have little experience with cybersecurity and little resources on digital threats. In 2018, TSA’s pipeline security division had only six full-time employees, and the agency lacked a plan to ensure employees had the necessary cyber skills, according to a report from the Government Accountability Office.
TSA now has enough staff to enforce the new rule, said a senior DHS official, and those staff have been trained by CISA and other government experts. “We are expanding this group further,” said the official.
As part of an existing partnership, CISA and TSA have conducted safety reviews of 23 pipeline facilities since October 2020 and, according to the official, plan to conduct an additional 29 reviews over the next four months.
For years, cyber officials and industry executives have emphasized collaboration rather than regulation to protect infrastructure from hackers. But many companies – including some that operate the US power plants, water treatment plants, and other critical infrastructure – either ignore cybersecurity or underestimate their resources and attention, creating weak links that can lead to bigger problems.
Biden administration officials have also touted the value of public-private partnerships and voluntary information sharing, but the colonial hack appears to have led the administration to take a stricter approach to protecting an important part of the country’s energy system.
“Even though we will have a more structured oversight … we look forward to a very collaborative relationship with the pipeline industry,” said a senior DHS official.
Another lesson from the Colonial Hack, however, is that “we need to take a more muscular approach.”
In Congress, too, frustration over the voluntary approach has increased. A non-partisan group of legislators drafts laws that oblige critical infrastructure companies and large IT service providers to disclose hacks to the government.
TSA’s new rules are likely to cause a major setback in the oil sector, which has resisted new regulations for its members, even though voluntary standards have been proven to be inadequate.
“Any discussion of regulation is premature until we fully understand the details of the colonial attack,” said Suzanne Lemieux, manager of safety and security for the American Petroleum Institute, in mid-May.
As the TSA steps up its oversight of pipelines, some policy makers are wondering if it is the right agency to do the job at all. On the hill, the house’s energy and trade committee leaders are pushing for the energy department to take over TSA’s pipeline portfolio. However, the chairman of the House Homeland Security Committee has argued that the TSA has the necessary experience to maintain its role.