TSA Directive Mandates Cybersecurity Action from Pipeline Owners

The Colonial Pipeline ransomware attack has spurred unprecedented action today from the U.S. government, which has mandated incident-reporting procedures and hardened cybersecurity practices from pipeline owners and operators, many of whom operate privately within this critical infrastructure sector.

The Transportation Security Administration (TSA)'s introduction today of its new Security Directive specifically puts private sector owners and operators on notice that they can no longer opt out of cybersecurity controls suggested by the federal government.

While the directive isn't prescriptive about technical controls and safeguards, it specifies three actions that will focus owners and operators on specific cybersecurity outcomes and improve the resilience of their IT and OT networks and systems.

The directive is likely to be a jolt for pipeline companies. But the aftermath of the Colonial Pipeline attack—gasoline and other fuel shortages, higher prices for consumers, and crumbling consumer confidence in the cybersecurity of critical infrastructure—is the impetus for this newfound urgency to move toward resilient systems, while improving transparency and accountability between the private and public sectors.

And it's not likely to be the last cybersecurity directive for critical infrastructure. Already, we've seen the Biden administration implement a 100-day plan to improve power grid security, and sign an executive order mandating modernization of the cybersecurity of federal computer systems, secure software development, and improved supply chain security. CISA, meanwhile, has been allocated more than $50 billion in the administration's proposed fiscal budget.

Today's Security Directive is a stark reaction to the May 7 Colonial Pipeline incident in which a Russian-speaking cybercrime group infected the company's IT networks with ransomware. Colonial Pipeline said it took its OT systems offline in order to contain the attack; that meant oil, gas, and other fuel distribution for the East Coast of the United States would grind to a halt. Prices at the pump immediately crept upward, and consumers scrambled to find gasoline that was suddenly in short supply.

The directive begins with mandatory reporting within 12 hours of detection of incidents affecting IT and OT systems. The directive specifies incidents to include unauthorized system access, the discovery of malicious software, denial-of-service attacks, physical attacks against network infrastructure, and any other cybersecurity incident that results in disruption of IT or OT systems—in short, anything that would impact the safe delivery of products to customers, critical infrastructure, national security, economic security, or public health and safety.

Owners and operators are also required under the new directive to conduct a vulnerability assessment of IT and OT systems within 30 days. The assessment should begin with whether current practices align with the TSA's 2018 pipeline security guidelines; pipeline owners must identify gaps and remediation measures, and report to TSA and CISA.

Finally, pipeline owners must appoint a 24/7 Cybersecurity Coordinator within seven days who will coordinate internal cybersecurity practices, work as a liaison between the pipeline and law enforcement and emergency response agencies, and be the primary point of contact for CISA and TSA.

The directive balances its cybersecurity requirements with latitude over how they choose to implement technical controls and safeguards in order to build resilience. Over time, pipeline companies will equip themselves to make better decisions around cyber policies, awareness, training, skill development, and the many other aspects that go into a holistic cybersecurity program.

Industry-wide compliance is not something that can happen overnight and this may be an arduous process for some organizations, depending on the current state of their cybersecurity posture. The important thing is that organizations get started, no matter where they are on their cybersecurity journey now.