TSA’s pipeline cybersecurity directive is just a first step experts say

The new, hastily announced security directive requires US pipeline companies to appoint a cybersecurity coordinator and report possible breaches within 12 hours.

data pipeline primary

The Transportation Safety Administration (TSA), an arm of the US Department of Homeland Security (DHS), released a Security Directive on Enhancing Pipeline Cybersecurity. TSA released the document two days after the Biden administration leaked the details of the regulations and less than a month after the ransomware attack on Colonial Pipeline created a significant gas shortage in the Southeast US.

As a result of post-9/11 government maneuvering, the TSA gained statutory authority to secure surface transportation and ensure pipeline safety. The directive follows largely ineffective, voluntary pipeline security guidelines established by the TSA in 2010 and updated in 2018.

This new regulation requires that designated pipeline security companies report cybersecurity incidents to the DHS's Cybersecurity and Infrastructure Security Agency (CISA) no later than 12 hours after a cybersecurity incident is identified. The TSA estimates that about 100 companies in the US would fall under the directive's mandates.

Pipeline owners and operators must also designate a cybersecurity coordinator who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise. Finally, pipeline owners and operators must "review their current activities against TSA's recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA."

Although not appearing anywhere in the directive, pipeline companies that fail to meet the security requirements would be subject to financial fines, starting at $7,000 per day, government officials say. Moreover, the directive is likely just the start of more fulsome regulatory requirements. In its press release announcing the directive, the TSA said "it is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland."

Many experts say the directive is long overdue but is only just the start toward more robust pipeline security requirements. Chris Krebs, former director of CISA, called it an "incremental step" until security standards and performance standards are developed.

Some companies and experts are skeptical

Some oil and gas companies greeted the directive with skepticism, saying privately that the administration primarily pushed the directive out the door to generate a message of swift action in the wake of the Colonial Pipeline attack. Other oil-and-gas industry representatives suggest that the government did not sufficiently consult with relevant companies in drafting the directive.

The American Petroleum Institute's Manager of Operations Security and Emergency Response Suzanne Lemieux offered a more positive official stance. "API is supportive of TSA's efforts to strengthen cyber reporting and is working closely with the administration to develop incident reporting policies and procedures that best protect our critical infrastructure, including pipelines," she said in a statement. "Any regulations should enhance reciprocal information sharing and liability protections, as well as build upon our robust existing public-private coordination to streamline and elevate our efforts to protect the nation's critical infrastructure."

Bryson Bort, founder of security company Scythe and co-founder of the industrial control system (ICS) security non-profit organization ICS Village, agrees with Krebs that the directive is a step in a new direction. He also shares the sentiment of some oil and gas companies that the directive may have been precipitous. "It was rushed out to show they're doing something, which is why it doesn't do much other than provide a couple of sticks [and no carrots]," he tells CSO. "You can't paper problems, and it's going to take time for them to build the resources to do anything to help."

A clearer, more near-term benefit of the directive is the collection of much-needed breach statistics from pipeline companies. "The reporting will allow the US government to have data insights into the extent of the problem which they don't actually have today," Bort says.

Former Justice Department and Navy Department lawyer Robert Cattanach, now a partner at Dorsey and Whitney, also stresses the incremental nature of the directive. "It's only a very first step," he tells CSO. "I would predict that it's going to be a while before we actually see regulations that are meaningful."

Cattanach believes that one clear takeaway from the directive is that the pipeline industry "writ large is going to have to up their game on detection." He also thinks a balance has to emerge regarding what pipeline companies will be obligated to report. The directive states that pipeline companies must report "possible" cybersecurity incidents in addition to known incidents. "You can't be pulling the fire alarm every time you might smell smoke someplace," Cattanach says. "I think there has to be some balancing."

Fine structure is a mystery

One mystery surrounding the directive is the supposed $7,000 per day fines that pipeline companies might accrue, which are trivial penalties for lucrative pipeline operations. Moreover, establishing these kinds of sanctions against the private sector usually go through lengthy rulemaking proceedings. "That's a years-long process," Cattanach says. "There's no way they could actually impose fines without going to comment."

The directive does not offer any discussion of the legal or administrative underpinnings for imposing fines on pipeline companies, nor does it explicitly mention the fines. "I've now gone through this literally backward and forwards, and I don't see anything about fines," Cattanach says. When asked about the fines, CISA officials directed CSO to talk to the TSA, which did not respond to CSO's request for further clarification on the fines.

The Enforcement Sanction Guidance Policy, where TSA spells out sanctions for regulation violations, could possibly be the vehicle for establishing pipeline fines. The policy does not currently specify anything about pipelines.

Additional regulations could take time to emerge

Even with the concerns and questions about the directive's implementation, "this is not a bad thing," Cattanach says. "What do they really have to do? Not that much. Kind of two things, right? They have to undertake this analysis, which they should be doing anyway. If they have a problem, they have to report it within 12 hours. None of that is controversial."

Despite various statements by the DHS that it might put out additional regulations in a few weeks, the timeframe for further steps is likely longer. "It'll be months. It's too important not to get right," Cattanach says.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)