A senior TSA official told House lawmakers on Tuesday that it is preparing to issue a second security directive focused on cybersecurity mitigation measures used by pipeline companies.
The Transportation Security Administration told lawmakers on Tuesday that the agency is developing a second security directive focused on requirements for pipeline cybersecurity mitigation measures and that the agency has a cadre of inspectors ready to enforce those requirements.
Sonya Proctor, the assistant administrator for surface operations at TSA, told two subcommittees of the House Homeland Security Committee that the new directive will be a "security sensitive information" document and "will be rather prescriptive in terms of the mitigation measures required."
Proctor was testifying before House lawmakers alongside Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, about the effects of the ransomware attack against Colonial Pipeline.
A representative from the FBI was invited to testify at the hearing but declined to attend, according to Rep. Bonnie Watson Coleman (D-N.J.).
In the weeks following the May 7 attack, TSA issued a security directive mandating pipeline owners and operators to report "confirmed and potential" cybersecurity incidents to CISA as well as designate cybersecurity coordinators. The directive also requires pipeline owners to conduct self-assessments focused on the extent to which they are complying with existing voluntary standards.
Proctor's remarks on Tuesday were in response to a question from Coleman about how TSA will verify information companies report to the federal government and the consequences for misrepresenting themselves.
During previous hearings with Colonial Pipeline CEO Joseph Blount, lawmakers took issue with the company's lack of cooperation with TSA to conduct voluntary security assessments, both physical and otherwise.
Asked about the delays, Proctor said other companies also postponed assessments due to health concerns related to the pandemic. She also said Colonial had also postponed the assessment because it was making certain software updates.
"We had spoken in March. They had asked for about six weeks to complete some cyber updates and the six weeks was actually the week after the incident with Colonial," Proctor said of the validated architecture design review.
Lawmakers at the hearing also voiced concerns about the White House's choice to designate the Department of Energy as the lead agency for the incident. Since the May 7 attack, lawmakers on the Homeland Security Committee and others overseeing the Energy Department have been laying out their arguments for a coming turf war over whether TSA should keep its regulatory authority over pipeline companies.
When asked about what rationale CISA was given by the White House, Goldstein emphasized the breakdown of roles between agencies and that DOE was deemed the lead agency because of the incident's impact on the supply of gasoline to the East Coast.