TSA Implements 'Surge Team' to Allow Pipeline Industry Flexibility on Security Directives

The Department of Homeland Security’s Transportation Security Administration has added to its roster of cybersecurity professionals in efforts to relax security requirements the agency issued for pipeline owners and operators following a landmark ransomware attack.

According to a factsheet DHS shared with Nextgov describing the agency’s plans to secure the pipeline industry from cyberattack, TSA has been inundated with an unprecedented number of requests—380—from entities covered by a pair of directives the agency issued after Colonial Pipeline shut down operations in connection with a ransomware attack last May. 

The requests came in response to the second of the two directives. TSA never publicly released the actual directive, but according to the factsheet, it instructs covered entities to, “implement a series of mitigation measures to reduce vulnerabilities and increase the resilience of both information technology and operational technology systems; develop and implement contingency/recovery plans; and test the effectiveness of cybersecurity practices annually through a cybersecurity architecture design review conducted by a third party.”

After the second directive was published in July, 2021, representatives from the pipeline industry complained that it was too prescriptive and may even cause disruptions due to the complexity of the equipment involved in industrial-control-system environments. 

“TSA has received fewer than 10 notifications indicating concern about a potential future disruption,” according to the factsheet. “None of these claims have been determined by [the Pipeline and Hazardous Materials Safety Administration] to present risk of an operational disruption.”

At this point, the fact sheet says, the agency has processed 41 out of the 380 requests for the use of alternative measures and doesn’t plan on stopping the labor intensive process.

“Recognizing the need for expedited processing of these alternative measures requests, TSA established a surge team of cyber experts, policy writers and attorneys dedicated to reviewing and processing the requests for alternative measures,” according to the fact sheet.

A TSA spokesperson told the Wall Street Journal the agency intends to propose regulations, within the next year, to, “permanently codify a number of critical cybersecurity requirements for pipelines and other surface transportation systems.”

Reporting from SC Media suggests the agency plans to incorporate more flexibility for industry  to meet its security objectives however companies see fit.