After Colonial attack, TSA issues new cyber regs for pipelines

A gas station in Florida out of fuel in the wake of the Colonial Pipeline shutdown. (Image credit: Hayden Dunsel/Shutterstock.com)

The Transportation Safety Administration on Thursday issued new security directives for pipeline owners and operators concerning how they respond and report cybersecurity incidents.

The directives, according to a Department of Homeland Security statement emailed on Thursday morning, require companies to report "confirmed and potential" cybersecurity incidents to DHS's Cybersecurity and Infrastructure Security Agency. Companies also must designate a "cybersecurity coordinator" to be available at any time.

"It will also require critical pipeline owners and operators to review their current practices as well as to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days," according to the statement.

DHS Secretary Alejandro Mayorkas in the statement highlighted the recent attack on Colonial Pipeline, which sparked a major gasoline supply crunch along the East Coast for several days, as the reasoning for the new directives.

The mandate for companies to immediately contact CISA is not surprising. Since the attack, House and Senate lawmakers have repeatedly aired their aggravation at Colonial Pipeline's apparent reluctance to contact the government's lead cybersecurity agency. CEO Joseph Blount, who is scheduled to testify to Congress next month, is sure to field questions about who his company contacted and when as well as his choice to pay $4.4 million ransom.

"TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland," the DHS statement continued.

The directives signal a decided change of pace for pipeline security in the wake of the Colonial Pipeline incident. TSA for years has had the authority to issue more restrictive cybersecurity policies but has not done so, instead leaning on industry to maintain its own standards.

"TSA requiring the pipeline industry to immediately report cyber incidents is imperative to securing a key element of our country's critical infrastructure," Rep. John Katko (R-N.Y.), the ranking member of the House Homeland Security Committee, said in an emailed statement. He added: "Now is not the time for turf battles. It's vital that TSA focus its resources and oversight on securing the nation's 2.7 million miles of pipelines."

Turf battles could be in the offing, however. Lawmakers in the House and Senate are divided about jurisdiction over pipeline security, with some insisting that TSA retain its authorities while others back giving the Energy Department or the Federal Energy Regulatory Commission a more authoritative role in regulating pipeline security.