TSA’s New Cybersecurity Rules for Pipelines to Be Kept on Need-to-Know Basis 

The public will not be privy to the details of a second directive the Transportation and Security Administration announced Tuesday to improve the cybersecurity of the nation’s pipelines, according to the Department of Homeland Security.

“The security directive is designated as sensitive security information and, as a result, its distribution is limited to those with a need to know,” a DHS spokesperson told Nextgov.

DHS shared the content of the first directive TSA issued on pipeline security following a ransomware attack on Colonial Pipeline in May that caused panic at the pump when the company shut down its operations to avoid adversaries accessing their critical operational technology. 

The May directive required about 100 pipeline owners and operators to report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, designate a cybersecurity coordinator to be available 24 hours a day, seven days a week, and to review current practices, identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.

“TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership,” the agency said on releasing the initial directive. 

The first directive has been ratified by DHS and is in effect through May 28, 2022, according to a notice posted to the Federal Register Tuesday. 

The new directive issued Tuesday “requires owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions,” according to a DHS press release. 

“The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats,” Secretary of Homeland Security Alejandro Mayorkas said in the release.  “Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security. Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”

On Tuesday, CISA released updated advisories related to attacks on industrial control systems like those used to manage pipelines as well as a whole host of physical processes in critical sectors.  

“The cybersecurity threats posed to the industrial control systems (ICS) that control and operate critical infrastructure are among the most significant and growing issues confronting our nation,” CISA wrote, adding, “although these publications detail historical activity, the [tactics, techniques and procedures] remain relevant to help network defenders protect against intrusions.”

President Joe Biden is set to discuss the administration’s recent cybersecurity efforts, among other priorities, during a full Cabinet meeting Tuesday, White House Press Secretary Jen Psaki said during a Tuesday briefing.  

The White House has been addressing cybersecurity at the highest levels since Biden took office six months ago, including through a trip to Europe where he met with Russian President Vladimir Putin and the more recent attribution of a wide-scale attack on Microsoft Exchange servers to elements of the Chinese government. 

The updated advisories CISA released on ICS attacks Tuesday included activity attributed to China and Iran, in addition to Russia. 

Testifying before a House Energy and Commerce Committee panel Tuesday, Robert Lee, CEO of the ICS-specific firm Dragos, said he’s aware of 15 state actors targeting operational technology in critical infrastructure. 

Lee praised a White House effort attempting to guide the electric sector toward implementing appropriate defenses, noting the importance of a certain degree of flexibility. 

“The government laid out the requirements and why they wanted companies to do this, but did not dictate the solution or how they had to achieve it,” he said.

When pressed during the hearing, another witness—Microsoft Assistant General Counsel Kemba Walden—said Congress should specifically mandate companies implementing commonly acknowledged cybersecurity best practices, such as the use of multifactor authentication.