DHS to issue new pipeline security regulations after Colonial attack

A Department of Homeland Security spokesperson said the new guidance for pipeline security will be issued in the coming days.

Image: Casimiro PT / Shutterstock

The Department of Homeland Security is preparing to issue new regulations for pipeline security following the ransomware attack that disrupted Colonial Pipeline's operations for more than a week earlier this month.

"The Biden Administration is taking further action to better secure our nation's critical infrastructure. TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead," a DHS spokesperson told FCW on Tuesday.

The Washington Post first reported the agency would issue security directives as early as this week which would require pipeline companies report cyber incidents to federal authorities. Although Colonial Pipeline worked with the FBI following Darkside's ransomware attack, lawmakers have taken issue with the  company's level of engagement with the Cybersecurity and Infrastructure Security Agency.

CISA's acting chief Brandon Wales testified at a recent hearing he does not believe the company would have contacted his agency at all if the FBI had not acted an intermediary.

The ransomware attack has also triggered a flurry of legislation about the Transportation Security Administration's authority to set rules around pipeline security as well as re-igniting debates on whether companies should be allowed to pay ransoms. The latter question is certain to come up when Colonial Pipeline CEO Joseph Blount testifies to lawmakers in June. Blount confirmed in a recent interview his company paid a $4.4 million ransom after Darkside compromised its business systems.

Shortly after the Washington Post published its story, Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, said in a statement the new directive is a step in "the right direction." He also hinted that his committee will not allow TSA to yield jurisdiction over pipeline security to other government agencies.

"While Congress will continue its oversight of TSA's pipeline security efforts, TSA -- with its 20 years of experience -- will remain the federal entity responsible for pipeline security with the authorities to mandate security requirements," Thompson said.

The notion that other government entities, such as the Federal Energy Regulatory Commission, should take responsibility for pipeline security has been advocated both by lawmakers and other officials outside of DHS. Any legislative moves to make changes is certain to find resistance with Thompson and other members of his committee keen to maintain their own jurisdiction.