In addition, some legislators from both parties have proposed removing control of pipeline security from TSA, a branch of the Department of Homeland Security whose primary role is to prevent terrorist attacks on commercial aircraft.
The cyberattack on Colonial, first announced May 7, caused the Georgia-based company to shut down the 5,500-mile pipeline that supplies much of the east coast’s gasoline, diesel and jet fuel, causing hoarding and widespread use Fuel shortage resulted.
“The ransomware attack on the Colonial Pipeline was a powerful reminder of why we must take these steps,” a senior DHS official told reporters during a briefing Wednesday.
Under the new rule, pipeline operators have 12 hours to report cyber incidents to the DHS Cybersecurity and Infrastructure Security Agency, which works with TSA on pipeline security. Within 30 days, they must also assess how their cybersecurity practices align with existing TSA guidelines and develop plans to address any loopholes.
TSA can impose daily penalties on companies that fail to comply.
Operators must also appoint a senior cyber employee who will communicate with TSA and CISA around the clock.
TSA plans to issue a second pipeline cyber policy with more stringent requirements The Washington Post reported in the coming weeks.
“This is the first step in the immediate aftermath of the Colonial Pipeline incident and will be followed by others,” said a senior DHS official.
The new incident reporting requirement is designed to ensure that government cyber defenders understand the nature and scope of digital attacks in order to prevent further intrusion. Although Colonial alerted the FBI after discovering it had been hit by a blackmail attack called ransomware, it didn’t provide technical data to CISA until a few days later. The company also failed to tell CISA that it paid a multi-million dollar ransom to regain access to its data.
The colonial hack exposed the shortcomings of the federal government’s current approach to defending critical infrastructure. Few of the 16 infrastructure sectors managed by a cluster of different federal agencies face mandatory cyber requirements.
Additionally, some of the agencies responsible for overseeing infrastructure, including the TSA and the Environmental Protection Agency, have little cybersecurity experience and limited resources on digital threats. In 2018, TSA’s pipeline security division employed only six full-time employeesAccording to a report from the Government Accountability Office, the agency lacked a plan to ensure staff had the necessary cyber skills.
TSA now has enough staff to enforce the new rule, said a senior DHS official, and those staff have been trained by CISA and other government experts. “We are expanding this group further,” said the official.
As part of an existing partnership, CISA and TSA have conducted safety reviews of 23 pipelines since October 2020 and, according to the official, plan to conduct an additional 29 reviews over the next four months.
For years, federal cyber executives and industry executives have stressed cooperation rather than regulation as a means of protecting the infrastructure from hackers. Many companies – including some that operate the U.S.’s power plants, water treatment plants, and other critical infrastructure – either ignore cybersecurity or invest too little resources and attention on it, creating weak links that can lead to bigger problems.
Biden administration officials have also touted the value of public-private partnerships and voluntary information sharing, but the colonial hack appears to have led the administration to take a stricter approach to protecting an important part of the country’s energy system.
“While we will have a more structured oversight … we look forward to a very collaborative relationship with the pipeline industry,” said a senior DHS official.
Another lesson from the Colonial hack, however, is that “we need to take a more muscular approach”.
In Congress, too, frustration over the voluntary approach has increased. A non-partisan group of legislators drafts laws that oblige critical infrastructure companies and large IT service providers to disclose hacks to the government.
The TSA’s new rules are likely to cause a severe setback in the oil sector, which has resisted new regulations for its members, even though voluntary standards have been shown to be inadequate.
“Any discussion of regulation is premature until we fully understand the details of the colonial attack,” said Suzanne Lemieux, manager of safety and security for the American Petroleum Institute, in mid-May.
As the TSA steps up its oversight of pipelines, some policy makers are wondering if it is the right agency to do the job at all. On the hill are leaders of the House Energy and Commerce Committee Urging the energy department to take over TSA’s pipeline portfolio. The chairman of the House Homeland Security Committee, however has argued that TSA has the necessary experience to keep its role.