The directive now mandates incident reporting and reviews described in the administration’s voluntary guidelines for the sector.
Working with the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s Transportation Security Administration issued a directive requiring immediate and longer term actions by owners and operators of the nation’s pipelines.
“Owner/Operators must provide in writing to TSA the names, titles, phone number(s), and email address(es) of the Cybersecurity Coordinator and alternate Cybersecurity Coordinator(s) within seven days of the effective date of this Security Directive,” reads the document reviewed by Nextgov.
The directive requires entities in control of pipeline systems and facilities TSA identifies as “critical,”—based on factors like volume of product transported and service to other critical sectors—to immediately circulate the directive to relevant personnel, name cybersecurity coordinators who would be able to communicate with CISA 24/7, report cybersecurity incidents within 12 hours, and report on their alignment with TSA’s voluntary cybersecurity guidelines within 30 days of the directive taking effect.
A cybersecurity incident is defined in the directive as “an event that, without lawful authority, actually, imminently, or potentially jeopardizes, disrupts or otherwise impacts the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system.”
The requirements will be in effect for one year beginning Friday, May 28 and marks a sea change in the government’s approach to securing critical infrastructure, the vast majority of which is maintained by the private sector. A May 12 executive order also looked to incentivize good cybersecurity practices across the economy but, like other recent regulations, was limited in its application to federal agencies and government contractors.
The pipeline directive will apply to about 100 companies and violations can result in fines starting at $7,000 per day, DHS officials told reporters Wednesday. And according to a press release DHS issued Thursday, “TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.”
On the heels of a ransomware attack that threatened fuel supplies and spurred panic buying by shutting down the operations of Colonial Pipeline for several days, the TSA administrator issued the pipeline directive under his authority, which allows regulating the industry’s security “without providing notice or an opportunity for comment and without prior approval of the Secretary,” according to the directive.
DHS Secretary Alejandro Mayorkas welcomed the directive. “The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” he said in the release. “The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”
TSA is accepting comments on the directive, which could change based on feedback, but that will not affect its effective date, according to the document. There is also room for entities to submit “proposed alternative measures” for TSA’s approval.