An official from the U.S. Department of Homeland Security’s Transportation Security Administration (TSA) said in a virtual hearing that the agency was in the process of putting together additional cybersecurity requirements that pipeline companies will have to comply with, following the Colonial Pipeline ransomware attack last month.
“We are continuing to develop additional measures for pipeline companies, and we are developing now a second security directive which would have the force of a regulation,” Sonya Proctor, TSA’s assistant administrator for Surface Operations said at the virtual hearing this week. She also said that the upcoming second directive would be classified as more sensitive in nature than the first directive due to “the nature of the mitigating measures that are going to be required.”
She noted that the directive “will require more specific mitigation measures, and it will ultimately include more specific requirements with regard to assessments,” and that TSA inspectors trained in both pipeline operations and cybersecurity will be tasked with ensuring pipeline companies adhere to both directives.
Proctor, however, did not provide an exact timeframe for when the second round of requirements would be released at the hearing.
The hearing was an opportunity for members to hear from officials at the Cybersecurity and Infrastructure Security Agency (CISA) and the TSA about the federal government’s response to the ransomware attack that crippled the Colonial Pipeline and the lessons learned to improve the overall resilience and cyber readiness of the pipeline sector, the transportation sector, and other critical infrastructure owners and operators.
Yvette Clarke, a Democrat from New York and subcommittee chairwoman, said in a joint hearing statement that she is “working on legislation that will require critical infrastructure to report certain cybersecurity incidents to CISA so that we’re developing the muscle memory and the institutional knowledge to improve our cyber defenses over time. But this is only half the battle. CISA also needs real-time visibility into threats on private-sector networks, so they’re empowered to collaborate with owners and operators before, during, and after an attack – or, prevent the attack from happening in the first place.”
“This is especially true for the industrial control systems that power pipeline operations, energy generation, and countless other industrial functions we rely on every day. These systems are increasingly connected to business and IT networks, which makes them vulnerable,” Clarke added.
“The attacks on Colonial and others provide opportunities to learn to improve the resiliency of the pipeline sector and critical infrastructure across the United States,” Bennie G. Thompson, a Democrat from Mississippi and Homeland Security Chairman, wrote in a joint subcommittee hearing statement. “I was pleased to see TSA take initial action by issuing the first-ever mandatory cybersecurity requirements for pipelines. These new requirements went into effect on May 28 and will be critical in improving coordination among the pipeline industry, CISA, and TSA.”
“More must be done to increase protections for our pipelines and allow federal authorities greater ability to assess weaknesses in critical transportation infrastructure. Unfortunately, cybercriminals are not going anywhere anytime soon. In fact, they are getting smarter, and cyber-attacks are likely to become more common,” Thompson added.
Following the Colonial Pipeline attack, critical pipeline owners and operators were required to carry out vulnerability assessments of their equipment and return responses by Jun. 28, following the security directive issued by the TSA. The pipeline companies were also required to meet new requirements for staffing and incident reporting.
Apart from the security directive, the U.S. administration also issued earlier this month a memo addressed to corporate executives and business leaders that tackling cybersecurity incidents was a “top priority” for the U.S. administration, as the number and size of ransomware incidents have increased significantly.
CISA also released guidelines for critical infrastructure owners and operators to review their operational technology (OT) assets and control systems, in direct response to the recent increase in ransomware attacks.