TSA reportedly set to relax pipeline cybersecurity rules, adopt performance-based model

The Transportation Security Administration (TSA) is relaxing its pipeline cybersecurity rules, giving companies a longer window to report cyber attacks and providing them with more flexibility to design their defenses, according to a Wall Street Journal article. 

The move by the TSA comes as publicly traded companies are calling for the Securities and Exchange Commission to loosen proposed regulations that they report hacks deemed material to their operations within four business days. Additionally, over the last year, U.S. President Joe Biden signed into law the Cyber Incident Reporting Act, which brought about reporting requirements for cyber incidents and ransomware payments. The law mandates critical infrastructure owners and operators to report ‘substantial’ cyber incidents to the U.S. government.

Designated pipeline operators are now required to report hacks to the government within 24 hours, double the previously mandated timeline, according to a new version of the first directive that went into effect on May 29, according to the WSJ article. Citing pipeline lobbyists and a TSA spokesperson, the article also said that an update to the second directive, set to be released by July 26, is expected to focus less on forcing companies to install particular security measures.

The article also said that the goal is to move to a “performance-based model that will enhance security and provide the flexibility needed to ensure cybersecurity advances with improvements in technology.” It also added that the TSA is consulting with industry stakeholders and federal partners while modifying this security directive.

Last May, DarkSide ransomware hackers targeted Colonial Pipeline’s IT networks, which led to the company halting around 5,500 miles of pipeline operations in an abundance of caution to contain the attack. 

The TSA went on to issue two security directives in May and July, designed to strengthen the security of the country’s pipelines. The agency called upon pipeline owners and operators to designate a cybersecurity coordinator, report cyber incidents to CISA within 12 hours, implement a number of basic security hygiene measures, develop contingency plans in the event of a cyberattack, and subject their systems to robust vulnerability testing.

By December, the TSA announced two new security directives and additional guidance for voluntary measures for surface transportation systems and associated infrastructure. These initiatives aim to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to the infrastructure.

Commenting on the WSJ article, Ron Fabela, SynSaber CTO & co-founder, wrote in an emailed statement that reactive cyber security rules for the industry continue to be a challenge for the entire industry, not just pipeline operations. 

“The move to more performance-based metrics does give asset owners and operators room to implement security controls that meet their unique environmental requirements, and while expanding the breach notification timeline from 12 to 24 hours must be a relief, the industry needs to ask, ‘what happens after I report?’” Fabela said.

Breach notification has potential for confusion as the community wrestles with ‘what event or events constitute a reportable breach,’ and more critically, ‘what are the benefits of reporting besides compliance,’ according to Fabela  “With a focus on breach notification becoming standard across all sectors, it’s apparent that scalable and flexible monitoring be factored into every compliance program, as the answer of ‘we didn’t know’ is no longer acceptable to regulators,” he added.

“The updated guidance serves to highlight 2 important things; 1- Attempting to prescribe solutions across an entire sector can be complicated, if not impossible, and 2- cooperation between government and the private sector is crucial to our success,” Chris Grove, cyber security strategist and director at Nozomi Networks, wrote in an emailed statement. “We need an increase in transparency between asset owners, government, and other stakeholders, in a way that improves our ability to respond to threats without overburdening the asset operators, or codifying recommendations that could work against the tenants of safe and secure industrial operations,” he added. 

These much-needed changes allow for defenders to be more agile, and do what’s best for their specific infrastructure and environment using a measurable, performance-based approach, Grove added.

Earlier this year, the chairman of the Federal Energy Regulatory Commission (FERC) highlighted at a hybrid legislative hearing held by the U.S. Committee on Energy and Commerce that the “lack of mandatory reliability standards, especially for natural gas pipelines, poses a risk to the reliability of the Bulk-Power System due to the interdependency of our nation’s gas and electric infrastructure.” The meeting also took up the concern of the designation of a single federal agency with authority over pipeline reliability.

On the legislative front, a new bill was introduced last December in the U.S. House of Representatives that would direct the FERC to create a new, stakeholder-driven entity responsible for developing energy pipeline reliability and cybersecurity standards.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.